User:Alvonruff/HTTPS Notes

From ISFDB
Jump to navigation Jump to search

Apache

  • dnf install mod_ssl
  • systemctl restart httpd
  • httpd -M
  • cd /etc/httpd/conf.d
  • Create file isfdb2.org.conf
  • Add the following contents:
<VirtualHost *:80>
    ServerName stage.isfdb2.org
    DocumentRoot /var/www/html
    ServerAlias isfdb2.org
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined
</VirtualHost>
  • service httpd restart

Certificate Support Software

  • dnf install epel-release
  • dnf install snapd
  • dnf install certbot
  • dnf install python3-certbot-apache

Certificates

  • certbot --apache
    • Select isfdb2.org
  • systemctl restart httpd

Settings

  • Change PROTOCOL in localdefs.py to "https"
  • Change $wgServer in /var/www/html/wiki/LocalSettings.php to use https

The New Password Algorithm

                wikiPass = record[0][1]

                # Extract the various fields stored in the user_password field
                fields = string.split(str(wikiPass), ":")
                encryption = fields[1]
                hashAlgo = fields[2]
                cost   = int(fields[3])
                keylen = int(fields[4])

                # Decode the salt and key fields
                base64_salt   = fields[5]
                base64_key    = fields[6]
                salt          = base64.b64decode(base64_salt)
                dbaseKey      = base64.b64decode(base64_key)

                submittedKey = pbkdf2_hmac(hashAlgo, password.encode('utf-8'), salt, cost)
                if binascii.hexlify(submittedKey) != binascii.hexlify(dbaseKey):
                        doError('Bad password')

Issues to Resolve

  • Fixed the isfdb login issue, implementing a new algorithm using pbkdf2
  • Interestingly, the wiki login is not working (sort of):
    • When you log in, it is actually successful, but takes you back to the http version of the URL.
    • So that cookie doesn't match
    • If you go back to isfdb2.org and then punch the Wiki link, it shows you as logged in.

When logged out of both isfdb and the wiki, there is one cookie (whether you are on an isfdb page or wiki page):

  • isfdb_mw_UserName = my user name

After login on the isfdb side:

  • isfdbUserName
  • isfdbToken
  • isfdbUserID
  • isfdb_mw_UserName

After login on the wiki side, and thrown into http:

  • isfdbUserName
  • isfdbToken
  • isfdbUserID

Then after moving to an https version of the page:

  • isfdbUserName
  • isfdbToken
  • isfdbUserID
  • isfdb_mw_UserID
  • isfdb_mw_UserName
  • isfdb_mw_session
Retrieved from "https://isfdb.org/wiki/index.php?title=User:Alvonruff/HTTPS_Notes&oldid=633675"