Squeezebox Setup

Adding SSL to Apache

SSL certificates do two things – they guarantee the person running the website is who they say they are, and they ensure that traffic over the wire is encrypred. For a home server we dont care about the first part – which is good as it requires a registered domain. If you do have a registered domain you can check out the excellent ars technica article here for instructions on getting a free proper ssl certificate. For cheapskates like myself we will be encrypting the connection with a self signed certificate. First we need openssl (probably got this already) and mod_ssl:

[root@tranquilpc ~]# yum install mod_ssl openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.dedipower.com
* updates: mirrors.dedipower.com
* extras: mirrors.dedipower.com
* addons: mirrors.dedipower.com
squeezecenter-release | 951 B 00:00
base | 1.1 kB 00:00
updates | 951 B 00:00
extras | 1.1 kB 00:00
addons | 951 B 00:00
Setting up Install Process
Parsing package install arguments
Package openssl-0.9.8e-7.el5.i686 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-22.el5.centos.1 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================
Package Arch Version Repository Size
=========================================================================================================
Installing:
mod_ssl i386 1:2.2.3-22.el5.centos.1 updates 87 k
Installing for dependencies:
distcache i386 1.4.5-14.1 base 119 k

Transaction Summary
=========================================================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 205 k
Is this ok [y/N]:

Next we need to generate the keys and copy them into the appropriate place:

[root@tranquilpc ~]# cd
[root@tranquilpc ~]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
……………………..++++++
e is 65537 (0x10001)
[root@tranquilpc ~]#
[root@tranquilpc ~]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:youremail@here.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:typepasswordhere
An optional company name []:
[root@tranquilpc ~]# openssl x509 -req -days 1000 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=GB/ST=County/L=Town/O=My Company Ltd/CN=hostnamewillbehere/emailAddress=youremail@here.com
Getting Private key
[root@tranquilpc ~]# mv ca.crt /etc/pki/tls/certs
[root@tranquilpc ~]# mv ca.key /etc/pki/tls/private/ca.key
[root@tranquilpc ~]# mv ca.csr /etc/pki/tls/private/ca.csr

Answer the questions as well as possible – it really doesn’t matter if you tell the truth!  When asked to give a common name you can put more or less whatever you want – though if you match it to the hostname that you will be using (myhost.dyndns.org for example) then you will get less errors when accessing the site (at the end of this accessing the site in Firefox will tell you that the certificate is self signed, and depending on the common name may tell you that the certificate was given to a different hostname – you’ll need to manually add an exception anyway, so it doesn’t really matter).

Next we need to tell apache to use the certificates.  So edit /etc/httpd/conf.d/ssl.conf and change:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

to

SSLCertificateFile /etc/pki/tls/certs/ca.crt

And change:

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

to

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

If you restart the webserver to pick the changes up:

[root@tranquilpc ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for tranquilpc
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[  OK  ]

Then you should be able to access your server over https as well as http (so https://192.168.1.107 should work).  As mentioned above Firefox will make you add a security exception.  Once you have done this you may want to force SSL for parts of the website (webmail for example).  This can be done using the mod_rewrite functionality in apache – which lets you change/redirect the URL that people are going to.  Assuming that the webmail is in a /cube subfolder you can add this to /etc/httpd/conf/httpd.conf:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/cube/(.*)$ https://%{HTTP_HOST}/cube/$1 [R,L]

After restarting apache (service httpd restart) this will send any requests to http://hostname/cube to https://hostname/cube.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: