I'm following linuxbabe's tutorial* to set up my server and managed to screw up something and can't make https do it's job. The site can be reached via port 80, but not via port 443. Firefox says Unable to load.
Probably clearing all Apache-related ssl stuff would do it for a new beginning (but email certificates must not be touched! Those work as expected).
My question is, how can it be done in a safe manner?
Thank you!
PS: running Raspberry OS with Apache 2.4.52 and certbot.
https://www.linuxbabe.com/mail-server/postfixadmin-create-virtual-mailboxes-debian
There is a command "certbot delete".
It will list available certificates and you can chose which to delete.
After that, you redo the certification process.
PS: and don't forget to open port 443!
That was the reason I screwed things up.
Related
I want to implement proxy server in node.js which is somewhat similar to Charles proxy - it should intercept HTTPS requests from my mobile app, decipher them, route some of them depending on body content to original backend and mock others with some static files.
How this HTTPS stuff is handled in Charles or other proxies?
Will I need self-signed root certificateon mobile device?
Are there any libraries which will help me?
How this HTTPS stuff is handled in Charles or other proxies?
Technically, Charles Proxy or Proxyman.io (the one I'm using now) would do the following steps:
Generate a root certificate and install to keychain and trust it. This steps would do once.
Open the Local Server (at 8888 or 9090).
Override the HTTP Proxy in System to this port. Thus, all traffic will go through the port. You could use the networksetup CLI to easily achieve or Privileged Helper tool on macOS for high performance and secure.
As soon as capture the first socket: If It's a HTTP request, get a first line message. Ex:
GET https://api.producthunt.com/v1/posts HTTP/1.1
Then open the forward socket to this URL.
If it's a HTTPS, make sure do SSL-Handshake and then get the first line message.
Finally, just get the rest of message and parse to proper message(HTTPCParser from NodeJS would be potential candidate)
Send data forward and back from the client and the destination server.
Do manipulation actions if you need since you're the true mitm.
Will I need self-signed root certification mobile device?
Yes, you must install the Root Certificate in the first steps to your iOS device. For the Header/Response detail. Check chls.pro/ssl or proxy.man/ssl from those Charles or Proxyman, and see the content.
You can do it on iOS Simulator by using ADVTrustStore
Are there any libraries which will help me?
You can check the those famous open source to see how it works
- mitmproxy
- zapproxy
- http toolkit
Hope this can help you.
Using Charles Proxy to see your mobile's requests is super easy.
Here is a simple video going over how to set it up. https://www.youtube.com/watch?v=AW2vTBRfOrU
I am using the following web2py slice in attempt to use https for a service worker function in a page.
http://www.web2pyslices.com/slice/show/1507/generate-ssl-self-signed-certificate-and-key-enable-https-encryption-in-web2py
I have tried opening web2py with the following line (with and without [-i IP and -p PORT]):
python web2py.py -c myPath/ssl_certificate.crt -k myPath/ssl_self_signed.key -i 127.0.0.1 -p 8000
but https is declared 'not private' and is crossed out. Because of this, I am getting a SSL certificate error when the registration of the service worker is attempted.
Please indicate what is going wrong or whether more information is needed
You mention "https is declared 'not private' and is crossed out". This has to do with browsers disliking not trusted (self-signed) certificates, because that's what trust is all about. If any hacker could just make up a certificate and the https client wouldn't respond with at least a frown, you could still be hacked or sniffed without noticing. Since you don't mention any other error, I assume you get otherwise valid results from the web2py server?
If so, you have setup your self-signed certificate well. If you don't get any valid html response (outside your browsers complaint, of course), you still have an issue with the setup.
If your service worker won't accept the certificate, what you can do (in a test environment at least) is import the self-signed certificate into the machine or service worker certificate repository. The process differs per OS and version.
Hope this helps. If it doesn't, please provide more detail.
The best way to use ssl with web2py is use of the deployment recipes with prodution-grade webservers like apache, nginx or Lighttpd.
Any of the mentioned scripts create a self-signed certificate, and then, you have to fix the generated server config files to a real certificate.
You can buy a real ssl certificate from any of many resellers or get for free from Let's Encript, if you have a real IP, like in a VPS or server.
A simple way to fix the config files is create a simbolic link from the real certificate to the one mentioned in the server config file.
To just test your service worker in your machine or a internal test server, just use a non-ssl port, or like Remco sugested, import the self-signed certificate to client environment.
How to use two proxies with authentication in a linux terminal?
My college uses cyberroam with squid proxy server and it blocks all legitemate terminal requests such that basic commands like apt-get install libvirt kvm dont work.
So i was thinking of either running a vpn or a private proxy server on google app engine and connecting to it via the terminal but i need to go through the squid proxy to reach the internet.
Any ideas as to how to implement this.
PS: We already tried reasoning with the college authorities they say they cant help directly but we can always bypass it wihtout their knowing. And we really need this for our project so please help. Thank you
I'm not sure if NTLMAPS will work for you but it works for me on bypassing company proxy with the use of public proxy servers.
Another thing, my friend's company is using domain controller to authenticate internet users and he told me that NTLMAPS also works for him and able to access the net via linux terminal.
Good luck.
I setup the proxy in my ubuntu machine as below:
https://gopukrish.wordpress.com/2014/05/22/configure-proxy-in-ubuntu-14-04/
Following are the contents in-case the link becomes unusable in future.
Download and install cntlm package from : http://sourceforge.net/projects/cntlm/
Edit /etc/cntlm.conf
Give credentials in the below fields
username
domain
password
proxy IP:Port
Note down the Listen port… say it is 3128
save
Select Network options in Ubuntu and choose network proxy
Give 127.0.0.1 port 3128 for all the protocols
/etc/init.d/cntlm restart
This worked for me after the restart
Currently, our program runs on JBoss and sits behind an apache reverse proxy. Apache handles verifying the client certificate. We have the +ExportCertData option set in apache, and then we use
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
to put the cert in the header field SSL_CLIENT_CERT before forwarding to JBoss. Our application in Jboss then reads the cert looking for the SubjectAltName to get the e-mail address, which we use to save the user a step in entering it in.
Now, we will have to live behind IIS, and will need similar functionality to this. What we really care about is extracting the email address from the SubjectAltName. In an ideal world, IIS would provide the same information as apache, so we wouldn't have to modify our application code too much. But if it's not possible, other options are good as well.
Some other notes:
We will probably need to support IIS6 and IIS7. It would be nice to have one solution that works across both, but not necessary
We are currently using IIRF to forward requests that go to a certain virtual directory, but I would be interested in hearing other solutions that could accomplish what we're looking for along with forwarding to our application server.
Just throwing apache in front of IIS isn't going to be a solution because we have to share the box with other programs that use IIS and they might be wary of such a solution. Also, we can't just run on a different port because of firewall restrictions only allow port 80 and port 443.
Any ideas how to make this possible? Let me know if there's any more information I can provide.
I'm just setting up an SSL area of a website, and was just wondering... is it as simple as adding HTTPS on the url?
(this is presuming I have a valid certificate of the hosting company?)
Or is there something more to it?
Thanks.
You have to setup the server to allow ssl connections. That includes generating a signed server request. You send this CSR to the cert authority (Verisign etc), and they send you a cert to install on the server. If you are behind a firewall you need to open port 443.
If you don't control the server i.e. shared hosting, there is probably a page in your control panel to do it all for you using a GUI.
When you replace http: in a URL with https: you are asking your web browser to do two things:
To attempt an encrypted (SSL) connection
To change which port to use on the remote server if none is specified in the URL
Most web browsers use port 80 for unencrypted traffic and port 443 for encrypted traffic by default. So, the first thing you need is a web server that is listening on port 443. If you are using a hosting company, this is probably already the case or becomes the case when you configure SSL.
You do not have to use port 443 but that is where browsers will be looking when users do not specify a port. You could also force everybody that connects at port 80 to use SSL as well though with the right configuration. That means that ALL traffic to your site would be encrypted.
To get the encryption up and running you generally need three things: a certificate, an encryption key, and a server request (CSR).
How you configure these is extremely dependent on how you are hosting the web server. Most hosting companies have 'control panels' that you log into for configuration. Common ones are Plex and CPanel. If either of those ring a bell you can post more information to get a better answer.
If you are managing the server yourself the big question is whether you are hosting on Windows or Linux. If it is windows, you are most likely going to want to configure IIS (Internet Information Server) while if it is on Linux you are probably going to configure Apache.
If you are using IIS, this link might help:
http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm
If it is Apache, Byron gave a good link above:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
You can use other web servers. For example, I use nginx:
http://rubypond.com/blog/setting-up-nginx-ssl-and-virtual-hosts
So, I guess the real step one is finding out more about your server. :-)
Once your web server has the SSL cert installed, it is as easy as using HTTPS on the URLs. There are some considerations to be aware of:
Port 443 must be open between the user and web server. (obvious)
Browser caching will be reduced to in-memory session cache and not stored on disk. Also, caching proxies in between will not be able to cache anything, since everything is encrypted. This means an increase in load times and bandwidth requirements of the web server.
When using HTTPS to receive sensitive data, be sure to disallow its use over HTTP. e.g. If you have a page that accepts credit card numbers in a POST, the app should fail validation if it was not done over HTTPS. This can be done in your code or in web server configuration. This prevents a bug or malware from systematically sending sensitive data in the clear without the user knowing.