Linux Programmer | RHCE | RHCSA

Search This Blog

Wednesday, 13 September 2023

SSL setup in webservers

 

1.  Setup SSL in tomcat with using Certificate, Chain certificate and Private key.

for example,

1. website.crt ( main certificate file )

2. website-ca.crt ( chain certificate )

3. website.key ( private Key )

Open server.xml which is located in tomcat base directory.

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                <SSLHostConfig hostName="Domain-name" protocols="TLSv1.2">
                              <Certificate certificateFile="PATH-To-SSL-Directory/website.crt"
                                        certificateKeyFile="PATH-To-SSL-Directory/website.key"
certificateChainFile="PATH-To-SSL-Directory/website-ca.crt" />
</SSLHostConfig> </Connector>

Restart Tomcat service.

2. Generate private key from Certificate and Chain certificate.

Generate CSR:
keytool -keysize 2048 -genkey -alias website -keyalg RSA -keystore website.keystore
keytool -certreq -keyalg RSA -alias website -file website.csr -keystore website.keystore
[Keep the password used at the time of generating CSR.]

Generate Certificates using Generated CSR from respected domain provider.
keytool -import -alias root -keystore website.keystore -trustcacerts -file website.crt
keytool -import -alias intermed -keystore website.keystore -trustcacerts -file website-ca.crt
keytool -import -alias website -keystore website.keystore -trustcacerts -file website.crt
keytool -importkeystore -srckeystore website.keystore -destkeystore website.keystore -deststoretype pkcs12
openssl pkcs12 -in website.keystore -out website.pem

Now add configuration into server.xml,

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                 <SSLHostConfig hostName="Domain-name">
                         <Certificate certificateFile="PATH-TO-SSL/website.pem" certificateKeyPassword="certificate-password"
                                      certificateChainFile="PATH-TO-SSL/website-ca.crt" />
                </SSLHostConfig>

</Connector> 

3. Setup Above SSL certificates on Nginx webserver.

below are the files which is available which we have generated earlier.[ in 2nd solution ]
1. website.csr
2. website.crt
3. website-ca.crt
4. website.pem

a. convert generated .pem file into key file using below command.

openssl rsa -text -in website.pem

Copy the generated context into one file named website.key. example of key file is given below.

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAgVa6C3+/p3AfEn1ZW8KgnxAegMgjv/AllpBEeC0lB2gAkecS
xvraI+PyyzjI7maEktIPw4k2TXafsl/OYZXbPOXpSVaeIZyKCW80RsApDvJysJq/
V0g6WQKBgQCzJMUlOXFUrPKelDfhS4/7YNYmm2+ztcj/X7SXMvaA7vY424KHc9br
MzqnExB01Ge1VDB5xKrEeWtcp30mQ8E9KQfVEIlJO4dsCDVL32+beY57kWbIivlC
mf3YvqeBdnRRSjanxn5bsHqu91GLP4jQIuBNKkz8dRYwBSVcZnb1SA==
-----END RSA PRIVATE KEY-----

b. create combine certificate file by combining CRT and Chain certificate file.
cat website.crt > website-combine.crt
cat website-ca.crt > website-combine.crt

c. open SSL configuration file of nginx.

/etc/nginx/conf.d/ssl.conf

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name domainname.in;
    ssl_certificate /$PATH-TO-SSL/website.crt;
    ssl_certificate_key /$PATH-TO-SSL/website.key;;
    # SSL Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 4h;
    ssl_session_tickets off;
   # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /$PATH-TO-SSL/website-combine.crt;
        location / {
                proxy_pass              https://tomssl/;
                proxy_set_header        Host               $host;
                proxy_set_header        X-Real-IP          $remote_addr;
                proxy_set_header        X-Forwarded-For    $remote_addr;
                proxy_set_header        X-Forwarded-Host   $host:443;
                proxy_set_header        X-Forwarded-Server $host;
                proxy_set_header        X-Forwarded-Port   443;
                proxy_set_header        X-Forwarded-Proto  $scheme;
                allow all;
        }
        error_page 500 502 503 504 /server-busy.html;
        location = /server-busy.html {
                root /usr/share/nginx/html;
                internal;
        }
}
d. Restart Nginx.
nginx -t
systemctl restart nginx

4. Setup SSL in apache webserver.

Open SSL configuration file of apache. and add below configuration.

/etc/apache2/sites-available/default-ssl.conf
        <VirtualHost *:443>
                <Directory /path/to/website/dir>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Require all granted
                </Directory>
                ServerAdmin purval@test.com
                ServerName impurval.blogspot.com
                ServerAlias www.impurval.blogspot.com
                DocumentRoot /path/to/website/dir
                ErrorLog ${APACHE_LOG_DIR}/website.log
                #CustomLog ${APACHE_LOG_DIR}/phpmyadmin_access.log combined
                SSLEngine on
                SSLCertificateFile "/path/to/ssl/website.crt"
                SSLCertificateKeyFile "/path/to/ssl/website.key"
                SSLCertificateChainFile "path/to/ssl/website-ca.crt"
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>
                Protocols h2 h2c http/1.1
        </VirtualHost>
Restart apache.
apachectl -t
/etc/init.d/apache2 restart

5. Setup free Lets encrypt SSL.

Please note that this SSL certificates are available fro 3 months only then we have to renew it.
1. Install certbot package if not installed.

apt-get install certbot
2. If webserver is already running on port 443 with SSL then need to stop application first.
3. Generate certificates using below command.
sudo certbot certonly --standalone -d domain-name.com

4. Add the configuration entry into configuration file. below is the configuration settings of SSL for tomcat webserver.

nano $CATALINA_BASE/config/server.xml

<SSLHostConfig hostName="domain-name.com">

                 <Certificate certificateFile="/etc/letsencrypt/live/domain-name.com/cert.pem"

                    certificateKeyFile="/etc/letsencrypt/live/domain-name.com/privkey.pem"

                    certificateChainFile="/etc/letsencrypt/live/domain-name.com/chain.pem" />

</SSLHostConfig>

Monday, 3 July 2023

Block specifc web access call using nginx

 Task:

Block specific web calls (e.g. /webservice?token=test123) and allow other calls using nginx.

Solution:

1. make changes in below nginx configuration file.

nano /etc/nginx/conf/80.conf

upstream backend {
    ip_hash;
    server 172.31.25.94;
}
server {
    listen 80;
    listen      [::]:80;
        ## Block  test123 call        
        location /webservice {
            if ($arg_token = "test123") {
                return 403;
            }
            proxy_pass  http://backend;
        }
        ## Block  test123 call        
        location / {
                proxy_pass  http://backend;
                proxy_set_header        Host              $http_host;
                proxy_set_header        X-Forwarded-By    $server_addr:$server_port;
                proxy_set_header        X-Forwarded-For   $remote_addr;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_set_header        X-Real-IP         $remote_addr;
        }
}

Same thing need to do this in ssl.conf file as well.

2. verify nginx  configuration.

nginx -t

3. reload nginx service.

systemctl reload nginx

Thursday, 9 March 2023

Nagios NRPE client install on ubuntu 22.04

 Install NRPE agent from default ubuntu Repos.
 
apt install nagios-nrpe-server
 
Configuration changes:
 
nano /etc/nagios/nrpe.cfg
 
 
command[check_disk]=/usr/lib/nagios/plugins/check_disk  -w 60 -c 50 -u GB -p /
 
allowed_hosts=127.0.0.1,$nagios_server_ip
 
 
Restart service:
/etc/init.d/xinetd restart
/etc/init.d/nagios-nrpe-server restart
 
 
Nagios server configurations:
 
nano /nagios/server/directory/server.cfg
 
define host{
use                             linux-server
host_name                       hostname
alias                           hostname
address                         IP
max_check_attempts              2
check_period                    24x7
notification_interval           30
notification_period             24x7
}
define service{
        use                     generic-service
        host_name               hostname
        service_description     Disk Usage
        check_command           check_nrpe!check_disk!-a '-w 60 -c 50 -u GB -p /'
}

 
 
 
 

Wednesday, 25 January 2023

Convert MBR to GPT in AWS

 First check partition type of existing disk.

 parted -l




 

To convert MBR to GPT, create one partition with gpt and that will convert entire disk from msdos to gpt.

gdisk /dev/nvme0n1

■ n (i.e. new partition)
■ Enter (i.e Partition number : 2-128, default 2)
■ Enter (i.e. First sector : default = 34)
■ Enter (i.e. Last sector : default = 2047)
■ ef02 (i.e. Type of partition: BIOS boot partition)
■ w (i.e. Write the new partition table)
■ Y (i.e. Complete process)


Reload the partition table 


partprobe /dev/nvme0n1  

Re-install the GRUB boot loader using the new partition scheme 


grub-install /dev/nvme0n1
 

Increasing EBS volume 


growpart /dev/nvme0n1 1
resize2fs /dev/nvme0n1p1

Now Re-check the partition table created properly or not.

parted -l



CISCO AnyConnect VPN Client in Ubuntu

OpenConnect is a client for Cisco’s AnyConnect VPN. It is free software, and is released under the GNU LGPL v2.1 . Getting connected to an AnyConnect VPN is easy with OpenConnect and the TUN/TAP kernel module that is built into the Linux kernel.
 
1. First run command below to active th TUN module:
 
sudo /sbin/modprobe tun
 
2. Install OpenConnect:
 
sudo apt-get install openconnect
 
3. Connect to VPN, run:
 
sudo openconnect yourvpn.example.com
 
It prompts you to type in username and password. Once these are authenticated, the VPN connection is established.

MIG - NVIDIA

The new Multi-Instance GPU (MIG) feature allows GPUs (starting with NVIDIA Ampere architecture) to be securely partitioned into up to seven ...