Difference between revisions of "User:Alvonruff/HTTPS Notes"

From ISFDB
Jump to navigation Jump to search
 
(12 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
     ErrorLog /var/www/error.log
 
     ErrorLog /var/www/error.log
 
     CustomLog /var/www/requests.log combined
 
     CustomLog /var/www/requests.log combined
 +
    Redirect permanent / https://isfdb2.org/
 
</VirtualHost>
 
</VirtualHost>
 
</pre>
 
</pre>
* service httpd restart
+
* systemctl restart httpd
  
 
==Certificate Support Software==
 
==Certificate Support Software==
Line 27: Line 28:
 
** Select ''isfdb2.org''
 
** Select ''isfdb2.org''
 
* systemctl restart httpd
 
* systemctl restart httpd
 +
 +
==Settings==
 +
* Change PROTOCOL in localdefs.py to "https"
 +
* Change $wgServer in /var/www/html/wiki/LocalSettings.php to use https
 +
* Go to the wiki and type MediaWiki:Sidebar in the search window. Edit that page and change http to https
  
 
==The New Password Algorithm==
 
==The New Password Algorithm==
 +
This code replaces the current version in submitlogin.py:
 +
 
<pre>
 
<pre>
 
                 wikiPass = record[0][1]
 
                 wikiPass = record[0][1]
Line 50: Line 58:
 
</pre>
 
</pre>
  
==Issues to Resolve==
+
==Certificate Renewals==
 +
 
 +
The current status of the certificates can be seen with: '''certbot certificates'''
 +
 
 +
A renewal can be performed with: '''/usr/bin/certbot renew --cert-name isfdb2.org'''
  
* Fixed the isfdb login issue, implementing a new algorithm using pbkdf2
+
This '''does''' renew both isfdb2.org and www.isfdb2.org
* Interestingly, the wiki login is not working (sort of):
 
** When you log in, it is actually successful, but takes you back to the http version of the URL.
 
** So that cookie doesn't match
 
** If you go back to isfdb2.org and then punch the Wiki link, it shows you as logged in.
 
  
When logged out of both isfdb and the wiki, there is one cookie (whether you are on an isfdb page or wiki page):
+
==Issues to Resolve==
* isfdb_mw_UserName = my user name
 
  
After login on the isfdb side:
+
None now.
* isfdbUserName
 
* isfdbToken
 
* isfdbUserID
 
* isfdb_mw_UserName
 
  
After login on the wiki side, and thrown into http:
+
==Areas of Deeper Study==
* isfdbUserName
 
* isfdbToken
 
* isfdbUserID
 
  
Then after moving to an https version of the page:
+
* https://www.openssl.org/
* isfdbUserName
+
* https://www.feistyduck.com/library/openssl-cookbook/online/
* isfdbToken
+
* https://www.itu.int/rec/T-REC-X.509/en
* isfdbUserID
+
* https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
* isfdb_mw_UserID
+
* https://httpd.apache.org/docs/2.4/ssl/
* isfdb_mw_UserName
+
* https://httpd.apache.org/docs/2.4/vhosts/
* isfdb_mw_session
+
* https://eff-certbot.readthedocs.io/en/stable/
 +
* https://github.com/certbot/certbot

Latest revision as of 17:12, 1 October 2022

Apache

  • dnf install mod_ssl
  • systemctl restart httpd
  • httpd -M
  • cd /etc/httpd/conf.d
  • Create file isfdb2.org.conf
  • Add the following contents:
<VirtualHost *:80>
    ServerName stage.isfdb2.org
    DocumentRoot /var/www/html
    ServerAlias isfdb2.org
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined
    Redirect permanent / https://isfdb2.org/
</VirtualHost>
  • systemctl restart httpd

Certificate Support Software

  • dnf install epel-release
  • dnf install snapd
  • dnf install certbot
  • dnf install python3-certbot-apache

Certificates

  • certbot --apache
    • Select isfdb2.org
  • systemctl restart httpd

Settings

  • Change PROTOCOL in localdefs.py to "https"
  • Change $wgServer in /var/www/html/wiki/LocalSettings.php to use https
  • Go to the wiki and type MediaWiki:Sidebar in the search window. Edit that page and change http to https

The New Password Algorithm

This code replaces the current version in submitlogin.py: 

                wikiPass = record[0][1]

                # Extract the various fields stored in the user_password field
                fields = string.split(str(wikiPass), ":")
                encryption = fields[1]
                hashAlgo = fields[2]
                cost   = int(fields[3])
                keylen = int(fields[4])

                # Decode the salt and key fields
                base64_salt   = fields[5]
                base64_key    = fields[6]
                salt          = base64.b64decode(base64_salt)
                dbaseKey      = base64.b64decode(base64_key)

                submittedKey = pbkdf2_hmac(hashAlgo, password.encode('utf-8'), salt, cost)
                if binascii.hexlify(submittedKey) != binascii.hexlify(dbaseKey):
                        doError('Bad password')

Certificate Renewals

The current status of the certificates can be seen with: certbot certificates

A renewal can be performed with: /usr/bin/certbot renew --cert-name isfdb2.org

This does renew both isfdb2.org and www.isfdb2.org

Issues to Resolve

None now.

Areas of Deeper Study

Retrieved from "https://isfdb.org/wiki/index.php?title=User:Alvonruff/HTTPS_Notes&oldid=646248"