I am trying to set ssl on local host i have follwed the http://madurad.wordpress.com/2014/04/25/redirect-http-to-https-with-wamp-server/ and many others but unable to get success. i stuck in the syntax of httpd-ssl.conf. my apache server get down when i set the
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
SSLOptions +StdEnvVars
</Directory>
i have tried many others like
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
</Directory>
what is issue not able to get....
How to Configure WAMPServer to use HTTPS SSL
This is not a trivial process. This tutorial will, hopefully, get SSL working for you.
However getting it configured correctly once it is working is TOTALLY DOWN TO YOU.
Additional reading for all who travel this road
Ok,
I have based this tutorial on the creation of a site called www.wamphelpers.dev So whereever you see that name change it to the site name you are trying to secure.
I started by creating a unsecured site, in \wamp\www\wamphelpers
added a Virtual Host for that site, in \wamp\bin\apache\apache{version}\conf\extra\httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "c:/wamp/www"
ServerName localhost
ServerAlias localhost
<Directory "c:/wamp/www">
AllowOverride All
Require local
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev
ServerAlias www.wamphelpers.dev
<Directory "c:/wamp/www/wamphelpers">
AllowOverride All
Require local
</Directory>
</VirtualHost>
Added its domainname to the C:\windows\system32\drivers\etc\hosts
Some virus checkers block access to the HOSTS file so you may need to disable your virus checker, or configure it not to block the hosts file temporarily.
127.0.0.1 wamphelpers.dev www.wamphelpers.dev
::1 wamphelpers.dev www.wamphelpers.dev
Now restart the dnscache as follows from a command windows launched using 'Run as Administrator'
ipconfig /flushdns
Then created a simple script in \wamp\www\wamphelpers\index.php
<?php
echo 'Hello, this is the WAMPHELPERS.DEV site homepage';
?>
Now to activate the new Virtual Hosts you have defined, edit \wamp\bin\apache\apache{version}\conf\httpd.conf and find this line
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
and remove the # comment character like so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
Save the file.
Now restart Apache and make sure that your simple unsecured Virtually Hosted site is working before continuing.
The openssl toolkit.
The openssl.exe, ssleay32.dll and libeay32.dll come with, and are located in, the C:\wamp\bin\apache\apachex.y.z\bin folder
This should be all you need to create your self signed certificate !!
HOWEVER: These did not work for me on any of the versions of Apache that I had installed.
I always got this error message.
Where the ordinal number changed depending on the apache version folder I was in.
If you get this error dont worry this is what you need to do.
install the latest version of the OPENSSL TOOLKIT
This can be obtained from here
NOTE: Dont use the V1.1 version yet, the PHP team have not yet compiled PHP with these new linkages, so stick to the V1.0.? versions until they do.
Pick the Latest version of 'Win32 OpenSSLv xxx Light' or 'Win64 OpenSSLv xxx Light' to match your installed version of WAMPServer, as this is all you need.
This will download an .exe file which you can run to install this toolkit.
It will ask the following question, I suggest you answer it like this so you dont end up installing something into C:\windows\system32.
Afterall this is a toolkit and it changes reasonably often. Best to keep these things seperate and not make them system global.
Once that is installed ( to whichever folder you specified in the install )you should be ready to start the process of generating keys and certificates!
Generate keys and Certificates.
STEP 1: Generate an RSA Private Key
First we need to create ourselves a certificate.
The normal (paid for) process is to create your certificate and then pass it to a signing authority.
This is why it costs money, as they have to do, due dilligence, to check that you are who you say you are and that site that you will use the certificate on is real and legitimate.
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request) to be used for our Certificate.
The first step is to create your RSA Private Key.
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Open up a Command window (Dos box) using [b]Run as Administrator[/b]
Change Directory to where you installed the OpenSSL Toolkit above.
In my case this is
CD c:\apps\OpenSSL-Win32\bin
Make a folder for the output to be put in ( to keep the bin folder tidy ) I used website
md website
Now enter this command:
openssl genrsa -out website\server.key 2048
This should have created a file in the website folder called server.key, without a pass phrase key, check it exists.
Step 2: Generate a CSR (Certificate Signing Request)
During the generation of the CSR, you will be prompted for several pieces of information.
These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name) []:".
It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
So if the website to be protected will be https://www.wamphelpers.dev, then enter www.wampheplers.dev at this prompt. I used wamphelper.dev as my ServerName is ServerName wamphelpers.dev
Do not enter anything to the question: A challenge password []:] Just press Enter.
If you do enter a passphrase here when you come to start Apache with SSL configured Apache will not start and will give this error message :-
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32
Basically if you do enter a passphrase Apache is supposed to challenge you for that passphrase each time it starts.
This is obviously not going to make your life any easier but primarily on windows it does not actually work and will
cause Apache to crash when it attempts to ask for the passphrase, with the above error.
The command to generate the CSR is as follows:
openssl req -new -key website\server.key -out website\server.csr
Example question and answers:
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]: Hampshire
Locality Name (eg, city) []: Portsmouth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Wamp Helpers Ltd
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: wamphelpers.dev
Email Address []: me#wamphelpers.dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ( leave blank just hit the enter key )
An optional company name []: ( leave blank just hit the enter key )
Step 3: Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate because
you either don't plan on having your certificate signed by a CA, or you wish to test
your new SSL implementation while the CA is signing your certificate.
PRE - WARNING
This certificate will generate an error in the client browser to the effect that
the signing certificate authority is unknown and not trusted.
This is unavoidable as we are signing the certificate ourselves, but of course the web of trust does not know who we are.
See example later in this document showing how to tell your browser that you actually trust this certificate
openssl x509 -req -days 365 -in website\server.csr -signkey website\server.key -out website\server.crt
Example output:
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Hampshire/L=Portsmouth/O=WampHelpers Ltd/OU=Information Technology/CN=www.wamphelpers.dev/emailAddress=riggsfolly#wamphelpers.dev
Getting Private key
Step 4: Installing the Private Key and Certificate
Create these 2 directories under the version of Apache you are using.
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
And copy the file we have just generated into them like so:
copy website\server.crt c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
copy website\server.key c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
Step 5: Configure Apache to activate SSL
Edit httpd.conf, Check that this line is uncommented
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Remove the comment '#' from this line also
Include conf/extra/httpd-ssl.conf
Then move that line after this block .... like so
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Step 6: Configure PHP to activate SSL
Edit your php.ini ( use the wampmanager menus so you edit the correct one )
Remove the comment ';' from this line
extension=php_openssl.dll
Step 7: Configure your secure sites Virtual Host
Yup for all you Virtual Host nay sayers, now you cannot avoid the process.
Edit \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf
This file is released by Apache and contains some default file location.
We can leave most of this file as it is, but we need to configure the virtual host in here to match our actual sites location and a few other things so:
find these lines
DocumentRoot "c:/Apache2/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "c:/Apache2/logs/error.log"
TransferLog "c:/Apache2/logs/access.log"
and change them to
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev:443
ErrorLog "c:/wamp/logs/ssl_error.log"
TransferLog "c:/wamp/logs/ssl_access.log"
Find
SSLCertificateFile "c:/Apache2/conf/server.crt"
and change to
SSLCertificateFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.crt/server.crt"
Find
SSLCertificateKeyFile "c:/Apache2/conf/server.key"
and change to
SSLCertificateKeyFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.key/server.key"
Find
<Directory "c:/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
and change to
Apache 2.2 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 localhost ::1
</Directory>
Apache 2.4 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
Find
SSLSessionCache "shmcb:c:/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
and change it to
SSLSessionCache "shmcb:c:/wamp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Find
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
and change to
CustomLog "c:/wamp/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Basically look through the conf file and any command that is not commented out, but has a reference to a file or folder
should be changed to reference the WAMPServer folder structure and not 'C:/Apache2....'
Now make sure all these files we have changed are saved, and restart Apache using the wampmanager menus.
First test that the unprotected site is still working.
Then try using your new protected site by adding the 'https://' to the front of the domain name
i.e. https://www.wamphelpers.dev without the single quotes of course.
If Apache does not restart you have probably spelt something wrong. Test the configs like so :-
Open a command window
cd \wamp\bin\apache\apachex.y.z\bin
httpd -t
This will parse all the config files and should give you a file name and a line number where an error has been found.
Fix it and try again.
First access to your site will generate a message page something like this.
This is using FireFox, others will be slightly different, but the concept it the same.
This is because your certificate is not signed by a trusted authority, DONT PANIC, this is supposed to happen.
Click on, 'I Understand the risk' and that will show you a button saying 'Add Exception'
Press the Add Exception button, after checking that the certificates site details are in fact yours,
and you will not see this message again unless you clear the exception list.
BIG NOTE
As of Apache v2.2.12 and OpenSSL v0.9.8j it is now possible to secure more than one site per Apache instance.
This tutorial does not cover that process.
See here for more details:
Here
and Here
and Here
And like I said at the top, now you need to do some reseach on all the options available in the SSL config and make thing work as you want rather than using the default.
It is necessary activate the module LoadModule socache_shmcb_module modules/mod_socache_shmcb.so in the file httpd.conf in wampserver 2.5. If not apache throws the next message:
AH00526: Syntax error on line 75 of C:/wamp/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
If you have the error something like this:
Cannot load modules/mod_ssl.so into server: The specified module could
not be found.
You may want to try to searching libeay32.dll in your wamp folder, you probably find it in {wamp folder}/bin/php/php{version 7}/
Copy libeay32.dll and ssleay32.dll and paste them into {wamp folder}/bin/apache/apache{version 2.x}/bin/ AND {wamp folder}/bin/php/php{verion 5.x}. MAKE SURE you backup anything you are placing.
run httpd -t and test the syntax
NOTE: I believe it is due to the mistake in apache openssl part for wamp 3.0.6. Fortunately in php7 folder those dlls are compatible for the apache and php5.
#RiggsFolly:
some small errors/typos/additions in your tutorial. Below is used in combination with WAMPServer 2.5 64bits (Apache 2.4.9 and PHP 5.5.12) on Windows 7 SP1 64bits:
-httpd-vhosts.conf is located in extra/httpd-vhosts.conf
-when you try to edit your hosts file be sure to disable any virusscanner. Some of them block access to hosts file.
-be sure to open your texteditor as administrator when editing your hosts file or else you get an error trying to save.
-don't forget to remove # at the beginning of the host line if any
-if you use WAMPServer 64bit be sure to download the 64bit version of OpenSSL
-the step openssl genrsa -out website\server.key 2048
creates a server.key file and not a privkey.pem!
-file \wamp\bin\apache\apachex.y.z\conf\httpd-ssl.conf is located at \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf (maybe this depends on the WAMPServer version)
-I had to use different ports for http (80->8080) and https(443->444) as these ports where used by I think Skype. When you use different ports be sure to use these everywhere you see 80 or 443 in this tutorial
-I also had to enable socache_shmcb_module. The "httpd -t" also mentioned this.
#RiggsFolly: Self-signed certificate with key could be easily generated for example here... http://www.selfsignedcertificate.com/, so I could start the tutorial from step 4 (I also had standard :80 virtual server running).
Anyways some mentioned things were already enabled in default WAMP installation (I guess it changes from version to version), but the rest helped me a lot. And actually one thing was missing... I also had to uncomment the following line in "httpd.conf"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
If you have the error :
Cannot load modules/mod_ssl.so into server: The operating system
cannot run %1
Then you have to :
Install Win32 OpenSSL here http://slproweb.com/products/Win32OpenSSL.html
Copy / paste libeay32.dll, ssleay32.dll into your wamp php bin folder (C:\wamp64\bin\php\php5.6.19)
Restart apache
Note: Tested on Wamp server 3
Before all:
1).Shutdown WAMP and proceed to C:\wamp\scripts\config.inc.php move from array libeay32.dll,ssleay32.dll, lines 133,139
2).Install OpenSSL from official site,pay attention on version of the your OS x64 or not.
Command prompt:
3).cd C:\wamp\bin\apache\apache2.4.23\bin
4). openssl req -new > localhost.csr
5). openssl rsa -in privkey.pem -out localhost.key
6). openssl x509 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 365 -sha256 -extfile v3.ext
Update: from Chrome 58 we will need to provide Subject Alternative Name.
This name we can obtain from extension file v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = 127.0.0.1
DNS.2 = localhost
Very important in Common Name to insert 'localhost'
7).Grab localhost.key and localhost.crt and put them to C:\wamp\bin\apache\apache2.4.23\conf\key (sure,before create appropriate directory)
Configuration:
8).enable in C:\wamp\bin\apache\apache2.4.23\bin\php.ini and
C:\wamp\bin\php\php5.6.25\php.ini extension=php_openssl.dll
9).proceed to C:\wamp\bin\apache\apache2.4.23\conf\httpd.conf and uncomment:
LoadModule ssl_module modules/mod_ssl.so,
Include conf/extra/httpd-ssl.conf,
Include conf/extra/httpd-vhosts.conf,
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
10). proceed to C:\wamp\bin\apache\apache2.4.23\conf\extra\httpd-ssl.conf
and make changes :
SSLSessionCache "shmcb:c:/wamp/bin/apache/apache2.4.23/logs/ssl_scache(512000)" ,
SSLSessionCacheTimeout 300,
VirtualHost _default_:443,
DocumentRoot "c:/wamp/www/",
ServerName localhost:443,
ErrorLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_error.log"
, (create file if not exists)
TransferLog "c:/wamp/bin/apache/apache2.4.23/logs/access.log",
SSLCertificateFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.crt",
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.key",
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
,
CustomLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_request.log"
Certificate handling:
11).press Win+R and insert 'certmgr.msc',import servercert.crt into 'Trusted Root Certificated Authorities'
12). Check your server in command prompt 'httpd -t' should be 'Syntax OK'
13). Launch Wamp and proceed to link https://localhost
I am hope this will help
Note: please read this article about Mozilla behavior :
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
Related
i tried to migrate a ruby on rails project from a server to another.
Everything is pretty much working. Now only mod passenger and apache gives me big problems.
Just as a not - i set the following command else i couldnt start apache "a2enmod mod_access_compat"
Now here is my config file:
LoadModule passenger_module /home/homeuser/.rvm/gems/ruby-2.1.10/gems/passenger-4.0.41/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /home/homeuser/.rvm/gems/ruby-2.1.10/gems/passenger-4.0.41
PassengerDefaultRuby /home/homeuser/.rvm/gems/ruby-2.1.10/wrappers/ruby
</IfModule>
ServerAdmin ME
ServerName server.ip
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#DocumentRoot /srv/www/vhosts/default/
DocumentRoot /home/homeuser/projectx/public/
# if not specified, the global error log is used
ErrorLog /var/log/apache2/error_log
CustomLog /var/log/apache2/access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
#ScriptAlias /cgi-bin/ "/srv/www/vhosts/default/cgi-bin/"
#<Directory "/srv/www/vhosts/default/cgi-bin">
# AllowOverride None
# Options +ExecCGI -Includes
# Order allow,deny
# Allow from all
#</Directory>
<Directory "/home/homeuser/projectx/public/">
#
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Options Multiviews Indexes
RailsEnv development
</Directory>
</VirtualHost>
Now the problem.
On my other server i can just call the IP of the server, and the rails installation just opens fine.
Here is just goes into the "public" directory and indexes me all its contents.
I know a fix where you can alter the routes within the routes config file:
get '/something', to: 'start#index'
Now i can reach the website via browser if i type the adress:
server.ip/something
But like i said - i need a pretty much identical version.
So what i need is being able to reach the site via:
server.ip and not server.ip/something
Any help appreciated. Me and my collegues are going crazy about this :-).
EDIT:As an answer to #Aakash Gupta-
Actually "something" is just any string i set in the routes file so i can enter the webapp via browser. What i want instead is to enter the webapp just by typing the pure IP of the server into the browser. Without the "something". So lets make an example: If i type into the browser: www.website.com - it doesnt work. But if i set a route in the routes file, as shown above, i can enter the site by e.g. www.website/start.com or www.website/whatever.com. But i really dont want to have to type something after the url as it has effects on other stuff. So i just want to type in the pure domain/ server address which would be website.com. And then the webapp should appear - but instead i just get shown the contents of the public folder, as there is no index file inside. But on my other server mod passenger is clever enough to still start the webapp, even if i set the public folder is a document root. Hope that clarifies my problem. Like i said - i didnt have problems on other servers. : /
Jenkins and Gerrit have both plugins for OpenID 2.0, but this API has been deprecated by Google May 19 2014 (https://developers.google.com/accounts/docs/OpenID) making it impossible for new installation to use and existing installations must migrate to OAuth2.0(OpendID connect). When trying to use OpenID 2.0 you will get the error message "Error 400: OpenID auth request contains an unregistered domain".
The Gerrit team is aware of the problem but no solution as of yet:
https://code.google.com/p/gerrit/issues/detail?id=2677
Not sure about Jenkins.
Update 2014/11/05: For those coming here the first place read on below. Thanks hans-zandbelt for the feedback. It is incorporated in the updated version. The setup now uses the suggested improvements and only uses mod_rewrite to redirect the gerrit logout url to the right place. Also note that instead of only using the non-domain part of the email the email is used unmodified. This means that if you happen to have an existing setup you need to change username mappings.
For Jenkins do the following:
move ${jenkins_home}/users/youruser to ${jenkins_home}/users/youruser#yourdomain
open ${jenkins_home}/config.xml search "youruser" and replace with youruser#yourdomain
For Gerrit:
either on the machine itself (change GERRIT_HOME to where it is on your machine):
open the sql database with one of the two methods below:
[Recommended] Either through the gerrit command available through ssh:
ssh gerrit.revault.ch gerrit gsql
OR on the machine itself (change GERRIT_HOME to where it is on your machine):
export GERRIT_HOME=/var/gerrit_home
pushd ${GERRIT_HOME}
java -cp $(find . -name "h2*.jar") org.h2.tools.Shell -url "jdbc:h2:file:${GERRIT_HOME}/db/ReviewDB;IFEXISTS=TRUE"
show external
select * from ACCOUNT_EXTERNAL_IDS;
the external ids map your account to different usernames, emails etc.
the ones prefixed with username: e.g. username:test#example.com are for ssh / git login names
the ones prefixed with gerrit: e.g. gerrit:test#example.com are used for the web interface
for a given account_id you can just add new mappings for existing users using sql: e.g.
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'username:test#example.com');
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'gerrit:test#example.com');
Solution
You can use an Apache as a reverse proxy handling authentication for you:
Gerrit
Assuming you already have installed Gerrit and it is listening on address 10.10.10.10:8080.
You will have to configure gerrit to use basic authentication, the [auth] section in your
${gerrit_installation}/etc/gerrit.config should look like this:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}#example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
The username will be in the header X-Forwarded-User. That's how Apache will forward the username
to Gerrit.
On Apache we will use mod_auth_openidc which has support for oauth2. For further information and
example docs refer to https://github.com/pingidentity/mod_auth_openidc. On a recent Ubuntu the installation
looks like this:
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
You will need to add a site configuration e.g. gerrit.conf similar to the one below (you probably want TLS, too) to /etc/apache2/sites-available and activate it with:
sudo a2ensite gerrit.conf
The file /etc/apache2/sites-available/gerrit.conf looks like this:
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
In order to get the parameters OIDCClientID and OIDCClientSecret go to the api console under https://console.developers.google.com/project. The credentials are in the context of a project if you haven't one create a project first. E.g. example-it-authentication
On the project go to APIs & auth:
Under APIs activate Google+ API.
Under Credentials, OAuth create new Client ID.
Fill in OIDCClientID and OIDCClientSecret in your apache config (e.g. gerrit.conf)
Under Consent screen fill in email and product name (you will get an error if you don't)
service apache2 restart
You should be done!
Jenkins
Assuming you already have installed Jenkins and it is listening on 10.10.10.11:8080.
For Jenkins the configuration is almost identical. You will need to install and activate the Reverse Proxy Auth Plugin http://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin. Under Configure Global Security check the "HTTP Header by reverse proxy" radio.
The default values correspond to the configuration below. You will need to create credentials matching the jenkins hostname in the api console https://console.developers.google.com/project. Report them to your config as before (e.g. jenkins.conf). That should be all.
<VirtualHost *:80>
ServerName jenkins.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://jenkins.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
ProxyPass / http://jenkins.example.com:8080/ nocanon
ProxyPassReverse / http://jenkins.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://jenkins.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
<Location ~ "^/(cli|jnlpJars|subversion|whoAmI|computer/[^/]+/slave-agent.jnlp|tcpSlaveAgentListener)">
Satisfy Any
Allow from all
</Location>
</VirtualHost>
Currently there doesn't seem to be support for groups in mod_auth_openidc. If you need groups you can install an LDAP that stores them (but this probably isn't what you want since you are using Google auth) or wait until it is supported by mod_auth_openidc.
Google's OpenID 2.0 has been superseded by OpenID Connect. The Apache module mod_auth_openidc implements OpenID Connect so it can be used in a reverse proxy that fronts Gerrit/Jenkins as described by revau.lt.
However, be aware that relying on the non-domain part of an e-mail address as a unique identifier is insecure unless you restrict logins to a specific domain using the following two configuration settings:
OIDCAuthRequestParams hd=example.com
to skip Google's account chooser screen, and in the <Location> section:
Require claim hd:example.com
to restrict access to only users from the example.com Google domain. If your application is open to any Google account you should not use the e-mail prefix as the primary identifier because you run the collision risk that users in different domains have the same user prefix.
That is why it is better to rely on the full e-mail address, e.g.
OIDCRemoteUserClaim email
or the (opaque) primary identifier that Google uses in the sub claim, e.g.:
OIDCRemoteUserClaim sub
Furthermore, instead of rewriting claims in to headers you can just use:
OIDCAuthNHeader X-Forwarded-User
Migration from OpenID 2.0 to OpenID Connect (retaining OpenID 2.0 user identifiers) is possible to, as described here and here, so you'd use:
OIDCAuthRequestParams openid.realm=<urlencoded-realm-value>
OIDCRemoteUserClaim openid_id
For an exhaustive overview of configuration primitives see: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf
As I know the fastest way to login into Gerrit with Google account is:
Create Client ID in Google Developers Console
Download this release of Gerrit and Google-OAuth-provider plugin
Re-initialize Gerrit: java -jar gerrit-2.10.1-4-a83387b.war init -d gerrit_site_path
And restart it: gerrit_site_path/bin/gerrit.sh restart
To Jenkins is new Google-login plug-in.
Using WampServer 2.5 on Windows 7 Ultimate 64 bit I am not able to redirect from Wamp index page to Projects URL. For example, I have a Project called "Proj 1" which listed under "Your Projects" but when I click on that the address bar only change to
Proj 1
and I get this error message on page Oops! Google Chrome could not find Proj 1
and when I add localhost/ to the URL inbox it works fine. I tried to re install the Wamp several times but it didn't fix the issue.
Can you please let me know why this is happening and how I can fix this?
The QUICK AND DIRTY way to revert back to the old way and undo this new INTENDED functionality is:-
Edit \wamp\index.php
Find this line at aprox line 34
$suppress_localhost = true;
And change it to
$suppress_localhost = false;
CORRECT Solution
Is to create a VirtualHost for each of your projects that you want to store under the \wamp\www\ folder. Or anywhere else for that matter.
Edit the file \wamp\bin\apache\apache2.4.9\conf\extra\httpd-vhosts.conf
change version number to match your installed version of apache
Remove its default contents and add this to define your first VirtualHost definition
<VirtualHost *:80>
ServerName proj1
DocumentRoot C:/wamp/www/proj1
<Directory "C:/wamp/www/proj1/">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require local
</Directory>
</VirtualHost>
Save it!
Now edit the httpd.conf file ( using the wampmanager menu links ) and uncomment the line that includes the file we have just changed.
Find
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
And remove the # comment character like so :-
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
Now edit the HOSTS file C:\windows\system32\drivers\etc\hosts and add a new line to tell windows that there is a site called proj1 so it should end up looking like this :-
127.0.0.1 localhost
::1 localhost
127.0.0.1 proj1
::1 proj1
Remember you have to be an Administrator to edit the hosts file!!! Hit the Windows key, type note, right click on Notepad and choose Run as Administrator.
Now to apply that change to the HOSTS file either reboot or
Start a command window using "Run as Administrator" and run these 2 commands :-
net stop Dnscache
net start Dnscache
This will refresh the windows DNS cache, and you new site will be addressable.
Now last of all restart the Apache service so it picks up your new VirtualHost definition.
wampmanager -> Apache -> Service -> Restart service
PS: Remove the space from the "proj 1" folder name. Spaces can cause odd issues. Remember Apache was ported from Unix and Unix does not really like spaces in directory names.
One option could be updating the www index.php (Line 338) from
$projectContents .= '<li>'.$file.'</li>';
to
$projectContents .= '<li>'.$file.'</li>';
I am using Ruby on Rails 3 and I would like to make to work HTTPS connections on localhost.
I am using:
Apache v2 + Phusion Passenger
Mac OS + Snow Leopard v10.6.6
My Ruby on Rails installation use the Typhoeus gem (it is possible to use the Ruby net\http library but the result doesn't change) to make HTTP requests over HTTPS.
I created self-signed ca.key, pjtname.crt and pjtname.key as detailed on the Apple website.
Notice: Following instruction from the Apple website, on running the openssl req -new -key server.key -out server.csr command (see the link) at this point
Common Name (eg, YOUR name) []: (this is the important one)
I entered *pjtname.com so that is valid for all sub_domain of that site.
In my Apache httpd.conf I have two virtual hosts configured in this way:
# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include /private/etc/apache2/other/*.conf
# Passenger configuration
LoadModule passenger_module /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2/ext/apache2/mod_passenger.so
PassengerRoot /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2
PassengerRuby /Users/<my_user_name>/.rvm/wrappers/ruby-1.9.2-p136/ruby
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
NameVirtualHost *:443
#
# PJTNAME.COM and subdomains SETTING
#
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
ServerName pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
ServerAdmin you#example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName users.pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
ServerAdmin you#example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName users.pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
In the host file I have:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
# PJTNAME.COM SETTING
127.0.0.1 pjtname.com
127.0.0.1 users.pjtname.com
All seems to work properly because I have already set everything (I think correctly):
I generated a wildcard certificate for my domains and sub-domains (in this example: *.pjtname.com)
I have set base-named virtualhosts in the http.conf file listening on port :433 and :80
My browser accept certificates also if it alerts me that those aren't safe (notice: I must accept certificates for each domain\sub-domain; that is, [only] at the first time I access a domain or sub-domain over HTTPS I must do the same procedure for acceptance) and I can have access to pages using HTTPS
After all this work, when I make a request using Typhoeus (I can use also the Ruby Net::Http library and the result doesn't change) from the pjtname.com RoR application:
# Typhoeus request
Typhoeus::Request.get("https://users.pjtname.com/")
I get something like a warning about the certificate:
--- &id001 !ruby/object:Typhoeus::Response
app_connect_time: 0.0
body: ""
code: 0
connect_time: 0.000625
# Here is the warning
curl_error_message: Peer certificate cannot be authenticated with known CA certificates
curl_return_code: 60
effective_url: https://users.pjtname.com/
headers: ""
http_version:
mock: false
name_lookup_time: 0.000513
pretransfer_time: 0.0
request: !ruby/object:Typhoeus::Request
after_complete:
auth_method:
body:
...
All this means that something is wrong. So, what I have to do to avoid the "Peer certificate cannot be authenticated with known CA certificates" warning and make the HTTPS request to work? Where is\are the error\errors (I think in the Apache configuration, but where?!)?
P.S.: if you need some more info, let me know.
I think your Apache configuration is OK, it's just that since you're using a self-signed cert, you need to specify on the client side that you're trusting the certifying authority.
It looks like Typhoeus uses curl, which has it's own certificate store, independent of OS X's Keychain (which is what would be used by your browser)
On my box, it's at /opt/local/share/curl/curl-ca-bundle.crt, and is just a concatenated list of certifying authorities. To get rid of the warning, you should be able to add your CA that you created to the end of that file:
cat /path/to/ca.crt >> /path/to/curl-ca-bundle.crt
(or you can edit it manually to put it some comment about what that cert is)
However, at the next curl update, you might very well lose those changes, so it might be better to have curl simply not verify the peer's certificate. (might be good to have different prod/dev settings for that in your app). I've never used Typhoeus, but it looks like you can specify the following:
:disable_ssl_peer_verification => true
when you make calls:
Typhoeus::Request.get("https://mail.google.com/mail", :disable_ssl_peer_verification => true).
Curl has a verify_peer and a verify_host setting. If I remember well, verify_peer checks that the certificate is signed by a trusted authority, and verify_host checks that the certificate was issued to the host you're connecting to.
There's some info about using self-signed certs in the readme: https://github.com/dbalatero/typhoeus
This one has got me stumped. I'm deploying a Rails 3 app to Slicehost running Apache 2 and Passenger. My server is running Ruby 1.9.1 using RVM.
I am receiving a permission denied error on the "public" folder in my app. My Virtual Host is setup as follows:
<VirtualHost *:80>
ServerName sharerplane.com
ServerAlias www.sharerplane.com
ServerAlias *.sharerplane.com
DocumentRoot /home/robinjfisher/public_html/sharerplane.com/current/public/
<Directory "/home/robinjfisher/public_html/sharerplane.com/public/">
AllowOverride all
Options -MultiViews
Order allow,deny
Allow from all
</Directory>
PassengerDefaultUser robinjfisher
</VirtualHost>
I've tried the following things: trailing slash on public; no trailing slash on public; PassengerUserSwitching on and off; PassengerDefaultUser set and not set; with and without the block.
The public folder is owned by robinjfisher:www-data and Passenger is running as robinjfisher so I can't see why there are permission issues.
Does anybody have any thoughts?
Thanks
Robin
PS. Have disabled the site for the time being to avoid indexing so what is there currently is not the site in question.
Check your actual home directory. /home/robinjfisher to ensure its "other" executable bit is set. I.e., the dir has permissions of NN1 or higher where N is whatever you like (i.e., 751 or 701).
I found the problem. I had moved some js/css files relating to a plugin and the plugin was then trying to reinstall them as it couldn't find them where it thought they should be.
I commented out the installation code and it works fine now.
Robin