Apache and Secure Remote Access (SSL) to Network Shares (MIPSel)

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search

Contents

Introduction

As many know, FTP is a very insecure method of transporting files. The main problem is the FTP usernames and passwords are transmitted in the "clear". There are a few better methods, like SFTP (SSH) or FTP over SSL, but these methods require that users have special client-software capable of using these methods. This may pose a problem for Linkstation users. If you have many users, chances are some are novice computer users and don't want to go through the hassel of using these "client software". Since http and secure socket layer (SSL) protocols are included in most modern browsers, a solution is to install an Apache http webserver to serve your files through a secure SSL connection.

Warning This method is very customizable and therefore requires some basic html coding skills.

Prerequisites

In order to install Apache with SSL, we must first have to do a few thing.

  • Have OpenLink firmware and devtools installed.
  • Establish symbolic links to Busybox command sort.
  • Update Grep to version 2.5+. Reason: Apache will not compile, install, and run correctly.
  • Change the system path to prefer user binaries instead of root.
  • Remove outdate version of OpenSSL

Fix Sort

We first need to fix the "Sort" command. If this is not done, your programs will not compile correctly. We will fix sort by creating a symbolic link.

ln -s /bin/busybox /bin/sort

Update Grep

Next step is to update grep. This step is complicated, so be careful.

  • First, download grep from the GNU Project.
  • Extract the tarball and move to the new grep directory. The command is:
tar zxvf grep-2.5.NN.tar.gz
  • Next, configure the makefile with this command:
./configure mipsel
make
make install

DO NOT UNINSTALL OLD VERSION OF GREP!!!: Certain programs still depend on this version and you will possibly loose terminal access to the Linkstation if you do.

Change System Path

In order for the Apache install script to use our new version of Grep, we need to modify the system path.

  • To do this:
vi /etc/profile
  • Then change
PATH="/bin:/sbin:...." to
PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
  • Restart the Linkstation
  • After restart, check to see grep installed correctly.
grep --version

The response should be version 2.5 or higher.

  • Note: In order for the global path to be used via telnet, "/etc/init.d/utelnetd" must be edited by:
vi /etc/init.d/utelnetd

change line

/sbin/utelnetd -l /bin/bash to
/sbin/utelnetd -l /bin/login

and reboot the Linkstation.

Remove Old OpenSSL

Enable Telnet Before Doing This Step!!! as OpenSSH may become disabled.

Openssl version 0.9.7e has a major security bug in it, to fix this problem, we need to update to the latest version of the 0.9.7 or 0.9.8 series. Preferably, we will want to install 0.9.8b. You will probably need to reinstall OpenSSH after doing this because OpenSSH depends on OpenSSL.

  • To remove the outdate version, remove the openssl files by:
cd /usr
rm -r c_rehash openssl /usr/include/openssl
cd /usr/lib
rm libcrypto.a libssl.a libcrypto.so.0.9.7 libssl.so.0.9.7
  • If either "/usr/lib/engines" or "/usr/lib/pkgconfig" exist, then run:
cd /usr/lib/engines
rm lib4758cca.so libaep.so libatalla.so libchil.so libcswift.so libgmp.so libnuron.so libsureware.so libubse.co
cd /usr/lib/pkgconfig
rm libcrypto.pc libssl.pc openssl.pc
  • Then search for files/directories named openssl or ssl and delete. This will only remove files from the system disk and won't affect anything saved on /mnt/hda:
find / -name openssl -xdev -exec rm -r {} \;
find / -name ssl -xdev -exec rm -r {} \;

Installing New OpenSSL

After all the prerequisites have been met, we a ready to start compiling and installing.

  • Download latest OpenSSL from OpenSSL.org
  • Extract the tarball and move to the new openssl directory. The command is:
tar zxvf openssl-0.9.8NN.tar.gz

Compiling OpenSSL

  • In order for Apache and OpenSSH to work properly, we must enable shared library support in OpenSSL.
  • We also need to disable sha512 support in OpenSSL because current version of Devtools contains an outdated version of GCC that has a problem compiling sha512 support. (Not much we can do about this currently if you're on a LS2 {gotta wait for kernel 2.6 to fully run correctly for LS2}, for LS1, upgrade the kernel to 2.6) You don't really need the large hash(Sha512) anyway.
  • Now to compile OpenSSL.

Use ./config not ./configure

./config --prefix=/usr --openssldir=/etc/ssl no-sha512 shared

Make and Install

After the Makefile is made, we need to run "make depend" because we disabled sha512 support. So run the following commands to make and install OpenSSL. This Will Take A While,so get a cup of coffee and relax.

make depend
make
make install

Reinstall OpenSSH

After OpenSSL is installed, reinstall OpenSSH, sorry, this means from recompile to as the openssl headers have changed.

Compiling and Installing Apache 2.2

First, we must download the Apache webserver "Unix Source" from The Apache HTTP Server Project. Setting up version 2.2 is shown below.

Before we start compiling, we must decide what modules we need. Apaches modules include mod-ssl, mod-php, mod-mysql, etc. There are two ways of installing Apache modules; either statically or dynamically (DSO). Here static means that the module is compiled with Apache as part of the Apache binary. This is done by using

./configure --enable-module_needed.

ie. for mod-ssl, we use

./configure --enable-ssl

Dynamic means that the modules are compiled separately and are loaded by Apache.

Look at Apache Module Index for help on Apache Modules.

  • Note: Not every Apache module can be installed statically or dynamically (ie. Php 5 must be installed as DSO). Please carefully read module documentation to decide how each module should be installed.

Configuring the Makefile

  • After you have decided which modules to use, untar the downloaded Apache tarball and move to that directory
tar zxvf httpd-2.2.3.tar.gz
cd /absolute/path/to/apache/soure/directory

The tar command will be slightly different depending on the Apache version you downloaded.

  • The basic configuration for this purpose should be:
./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so

You must enable-so in order to add DSO (Dynamic) module support.

  • If Apache complains when compiling that OpenSSL is not found, add
--with-ssl=/usr.
  • The configuration to get most use most of the common modules is
./configure --prefix=/usr/local/apache2 --enable-so --enable-cgi --enable-info \
--enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic

Make and Install

Compiling and installing Apache is just like any other compile-from-source program

make
make install

Something to Consider

  • Currently, php is the most common server-side language for Apache (It is also supported by the Apache Foundation as well). You may want to use php to create a script to remotely upload files to your network shares.
  • Note, if you decide that you want XML support, your LS will have a difficult time compiling the necessary libs. The workaround is to install the already compiled libxml packages. Just untar from root libxml2-dev_2.6.26 and libxml2-2.6.26.
  • You can also use this neat script written by Mike Taylor to convert already compiled debian packages into tar.gz form. This is useful when installing libraries. Go to deb2targz or download here

TODO: Change --prefix to /mnt/hda/opt/apache2 and edit wiki accordingly

Configuring Apache

Configuring httpd.conf

To setup Apache, we first must edit httpd.conf. The file is located in /usr/local/apache2/conf. You can edit this file in any text editor our use vi. We will be editing tags our groups of tags called "directives". Directives give apache directions on how to run certain things.

  • First run:
vi /usr/local/apache2/conf/httpd.conf
  • Then change "ServerRoot" line to
ServerRoot "/usr/local/apache2"

or if Apache is not installed in /usr/local/apache2 to

ServerRoot "/absolute/path/to/apache2_dir"
  • Unsecure http usually runs on port 80, so we should usually leave this. If you change the port to something else, ie 8080, you will have to access your webserver by using "http://yourdomain.xxx:8080"
Listen 80
  • Edit "ServerAdmin" and "ServerName" with your information.
ServerAdmin your_email_address
ServerName your.domain.xxx:port

This is very important to enter this correctly. "Port" is the number you entered in the above "listen" directive

  • Edit "DocumentRoot"
DocumentRoot "/your/www/directory"

You can leave the as default or define a spefic location where you want your web pages to be. For example, if you chose /usr/local/apache2/htdocs/, Apache will serve this directory to the internet.

  • Uncomment (remove # sign)
Include conf/extra/httpd-ssl.conf

This tells apache to look at httpd-ssl.conf for more directives.

Configuring httpd-ssl.conf

Now open httpd-ssl.conf, default is located in /usr/local/apache2/conf/extra/.

  • Leave the "Listen" directive at 443.

We are now creating what is known as a "virtual host". Apache is basically serving two directories. One through port 80 as unsecured http and the other through port 443 as secured. Note, when you type "https://anydomain.xxx", the browser automatically attempts to connect to the server at port 443.

  • Edit "DocumentRoot"

You will want to change the DocumentRoot here to a different directory than your unsecurred one. That way you don't accidentally server the "secure documents" through an unsecure connection.

Example

DocumentRoot "/usr/local/apache2/secure_folder"

Do not have this directory on a network share for security reasons.

Certificate Paths

Before we leave the httpd-ssl.conf file, we need to make sure that the certificate paths are correct. The directives that you need to be concerned with for certificate paths are:

SSLCertificateFile 
SSLCertificateKeyFile 
SSLCACertificateFile

Uncomment these values if they are commented (#) It is okay to leave the values at default, but make sure you place the certs in those directories with the specified names (ie. ca.crt).

  • The SSLCertificateFile is your server certificate.
  • The SSLCertificateKeyFile is the RSA key used to encrypt your server certificate.
  • The SSLCACertificateFile is the Certificate-Authority certificate used to issue your server certificate.


Your Trusted Certificate Authority (where you bought your certificate, i.e. Versign) will tell you which are which

If you decide to make a self-signed certificates with OpenSSL, you will have to be careful to identify which file is which correctly.

Warning: If you change to default location of you Apache certificate directory, make sure you place it in a secure location (not in a Network Share or DocumentRoot directory) where others do not have write-access. This is especially important if you use a certificate key that is not password protected [in order to allow Apache to automatically startup without a password]. If a hacker obtains your key, he or she can then decrypt all of your communications.

Optimize Apache Memory Usage

Because Apache is a large program, we should optimize Apache's memory performance. We can do this by enabling the Apache "Server-pool management" configuration script.

  • First run:
vi /usr/local/apache2/conf/httpd.conf
  • Uncomment (remove #)
Include conf/extra/httpd-mpm.conf
  • Run:
vi /usr/local/apache2/conf/extra/httpd-mpm.conf
  • Edit "IfModule mpm_prefork_module" directive to:
<IfModule mpm_prefork_module>
    StartServers          1
    MinSpareServers       1
    MaxSpareServers       5
    MaxClients           50
    MaxRequestsPerChild   5000
</IfModule>

This will force Apache to run less spare servers. This setup will be okay for most Linkstation owners as the Linkstation should be used for "private" low-level services.

Certificates

In order to use SSL, we must have a SSL certificate. For our purposes, we can either purchase one or create a self-signed certificate. A self-signed certificate is free and is usually used for testing purposes, but since most people will use the Linkstation to offer private services (i.e. family, friends), a self-signed certificate will suffice.

The downside to using a self-signed certificate is that an annoying message pop up saying something like "this certificate is not trusted" when users attempt to contact your secure server.

Trusted CA

These companies (i.e. Verisign)issue SSL certificates to people and companies. They are trusted by most modern browsers and therefore do not have the "this certificate is not trusted" message as self-signed certificates do. The downside is that they are often expensive.

Self-signed Certificate

If you are interested in making an self-signed certificate with openssl. Please visit Creating a Self-signed SSL Certificate for a tutorial.

UPDATE:Please use openssl compiled for win32 such as Win32 Openssl from Shining Light Productions, for use with the above tutorial. Sorry for any problems--jonli447

Note: We will want to create a 1024 bit (128 byte) server and Certificate Authority keys rather than 4096 bit (512 byte) keys. We want to use 128 byte keys as these keys are the most secure AND compatible with current browsers.


TODO: Add minitutorial on self-signed certs as requested.

Installing the Certificates

Use following command to install your certicates into apache.

cp /absolute/path/to/server.key /absolute/path/to/apache_certificate_directory/server.key
cp /absolute/path/to/server.crt /absolute/path/to/apache_certificate_directory/server.crt
cp /absolute/path/to/ca.crt /absolute/path/to/apache_certificate_directory/ca.crt
  • "/absolute/path/to/apache_certificate_directory" is the certificate path you specified in httpd-ssl.conf.

Using htpasswd (basic html coding knowledge required)

Now that Apache is with SSL support, we are ready to password protect and serve our network shares.

To do this, we will first need to create our web pages. This is where basic html coding experience comes into play.

Design your index page (index.html) to heart's desire and place in your unsecured DocumentRoot (the DocumentRoot specified in httpd.conf). The important thing is that you will want to have a way to access your secured link (https).

For example, you may place a "login" button on your index page with a link to "https://yourdomain.xxx". Optionally, you can disable unsecured html and require users to type "https://yourdomain.xxx" to access their shares. To do so, comment out (add # to) the "Listen" Directive in httpd.conf.

htacess and htpasswd

You have two options for basic-authentication with apache.

  • First, you can create an .htaccess file.
  • Second, you can add a "Directory" directive to the config files (here would be httpd-ssl.conf).

Both mothods require the use of the apache's htpasswd binary (Apache's basic password protection sysytem). This file is locate in /usr/local/apache2/bin.

Using .htaccess is highly discouraged as Apache must run the script everytime it accesses a password-protected file. So the second method will be explained here.

Configure the "Directory Directive"

  • Open httpd-ssl.conf with the text editor again.
vi /usr/local/apache2/conf/extra/httpd-ssl.conf
  • Somewhere in the file (doesn't really matter where, just not in the middle of any directives) add
<Directory"/absolute/path/to/secure_dir"> 
   Options Indexes FollowSymLinks 
   Order Deny,Allow 
   Allow from All 
   AuthType Basic 
   AuthName "Restricted Area"
   AuthUserFile /home/domain/.htpasswd 
   AuthGroupFile /dev/null 
   require user user_with_permission1 user_with_permission2
  • If there is already <Directory" /absolute/path/to/secure_dir"> in httpd-ssl.conf, just make the proper changes and append the rest of the information.

DO NOT make two of the same Directory Directives.

Things to Edit

  • "AuthName" can be whatever you want it to be. Just make sure you keep the Authname the same when you make this directive for the subdirectories. Otherwise, the user will have to type in their username and password each time they change directories.
  • "Domain" is your domain name without the TLD (.com .net). You don't actually have to put .htpasswd here, but you will want to make sure that it's not located in either DocumentRoot or their subdirectories. If you place .htpasswd somewhere else, change AuthUserFile to point to the absolute path of that directory.
AuthUserFile /absolute/path/to/.htpasswd
  • "require user" specifies which users are allowed to access the directory. Note, these users are not the same as Linux users. We will be creating them when we create .htpasswd.

Using htpasswd

No we need to create the passwd file for the directory. To do this, run

/usr/local/apache2/bin/htpasswd -b -c /absolute/path/to/.htpasswd user_with_permission1 user1_password
  • Make sure no-ones looking when you do this. -b flag take the passwrd from the command line rather than prompting for it. The prompt doesn't always work, so use -b flag.
  • The -c flag tells htpasswd to create a new passwd file. You will need to repeat the above step to add additional users. Just remove the -c flag from the command.

Symbolic Links

Now we need to place symlinks in your secure DocumentRoot pointing to /mnt/hda/user1, <mnt/hda/user2 and so forth.

  • To do this run:
ln -s /mnt/hda/user1  /usr/local/apache2/secure_directoryuser1
ln -s /mnt/hda/user2  /usr/local/apache2/secure_directoryuser1
...
  • Do not place an index.html file in the secure DocumentRoot directory. The reason is the when someone contacts your Linkstation via "https://youdomain.xxx", they will be prompted to type their username/password. After successful authentication, they will see the directories they're given permission to access.

Todo:

  • Give example of a page.

Setting up Network Shares

In order to setup the network shares, we have to repeat the "Directory Directive" and "Using htpasswd" steps for each user directory.

"Directory Directive" Again

  • When you make a "Directory Directive" for a user directory (network share), make sure set the directive with
Directory"/absolute/path/to/secure_dir/user_share"

rather than using

Directory"/mnt/hda/user_share"
  • /absolute/path/to/secure_dir is the same as the symlink you made earlier for each user directory.
  • Change "require user" to have only the user you want access. For example, if you want user3 to only have access to his or her directory. You would set the require user option to
require user user3
  • Change the AuthUserFile to the absolute path to .htpasswd2 that you will create for each user (In the next step).
  • Here is an example of the proper directive:
<Directory"/absolute/path/to/secure_dir/user3"> 
    Options Indexes FollowSymLinks 
    Order Deny,Allow 
    Allow from All 
    AuthType Basic 
    AuthName "Restricted Area"
    AuthUserFile /home/domain/.htpasswd2
    AuthGroupFile /dev/null 
    require user user3

"htpassd" Again

  • When making a .htpasswd file for a user folder, name the ".htpasswd" file to something like ".htpasswd2", and use the c-flag to create the new file. You can save the .htpasswd file in the same folder as the .htpasswd file for the secure DocumentRoot (i.e. /home/domain/).
  • Just like .htpasswd for the secure DocumentRoot, the c-flag tells htpasswd to create a new file. No c-flag tells htpasswd to append the specified user to the specified password file.
  • Note: If you have to directories that the same users are allowed to use, you don't need to create additional .htpasswd files. Just point AuthUserFile in the "Directory Directive" for the directory to where the .htpasswd that has both users is.
  • CONGRATS!!! If all went well, you should now have password protected/ secure user directories accessible via http.

Final Configurations

  • To manually starting up Apache, run
/usr/local/apache2/bin/apachectl start
  • To allow apache to startup automatically on reboot, run
cp /mnt/hda/apache2/bin/apachectl /etc/init.d/apachectl
ln -s /etc/init.d/apachectl /etc/rc.d/rc2.d/S99apachectl
ln -s /etc/init.d/apachectl /etc/rc.d/rc6.d/K92apachectl
ln -s /etc/init.d/apachectl /etc/rc.d/rc0.d/K92apachectl
  • Make sure to disable FTP through webmin after this works. You will need to use OpenSSH and a SFTP client if you want to remotely upload files.
  • Disable Telnet if need be.

Conclusion

  • After all that work, you have installed Apache and have configured Apache to serve your network shares through a secure SSL connection.
  • This method is only meant to be a guide, you will still have to create you web pages and implement this method according to your needs.
  • This method only shows how to setup remote access to network shares in the form of downloads. Users will not be able to upload files to their shares through this method. If users wish to upload files, they should use OpenSSH and a SFTP client (i.e. WinSCP) to upload their files. Another options is to create an upload script via cgi or php. There are many variants to how this can be accomplished, but the basic idea would be to add the script to your webpage and direct users to the script for uploading.

Additional Resources