Linux Programmer | RHCE | RHCSA

Search This Blog

Wednesday, 13 September 2023

SSL setup in webservers

 

1.  Setup SSL in tomcat with using Certificate, Chain certificate and Private key.

for example,

1. website.crt ( main certificate file )

2. website-ca.crt ( chain certificate )

3. website.key ( private Key )

Open server.xml which is located in tomcat base directory.

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                <SSLHostConfig hostName="Domain-name" protocols="TLSv1.2">
                              <Certificate certificateFile="PATH-To-SSL-Directory/website.crt"
                                        certificateKeyFile="PATH-To-SSL-Directory/website.key"
certificateChainFile="PATH-To-SSL-Directory/website-ca.crt" />
</SSLHostConfig> </Connector>

Restart Tomcat service.

2. Generate private key from Certificate and Chain certificate.

Generate CSR:
keytool -keysize 2048 -genkey -alias website -keyalg RSA -keystore website.keystore
keytool -certreq -keyalg RSA -alias website -file website.csr -keystore website.keystore
[Keep the password used at the time of generating CSR.]

Generate Certificates using Generated CSR from respected domain provider.
keytool -import -alias root -keystore website.keystore -trustcacerts -file website.crt
keytool -import -alias intermed -keystore website.keystore -trustcacerts -file website-ca.crt
keytool -import -alias website -keystore website.keystore -trustcacerts -file website.crt
keytool -importkeystore -srckeystore website.keystore -destkeystore website.keystore -deststoretype pkcs12
openssl pkcs12 -in website.keystore -out website.pem

Now add configuration into server.xml,

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                 <SSLHostConfig hostName="Domain-name">
                         <Certificate certificateFile="PATH-TO-SSL/website.pem" certificateKeyPassword="certificate-password"
                                      certificateChainFile="PATH-TO-SSL/website-ca.crt" />
                </SSLHostConfig>

</Connector> 

3. Setup Above SSL certificates on Nginx webserver.

below are the files which is available which we have generated earlier.[ in 2nd solution ]
1. website.csr
2. website.crt
3. website-ca.crt
4. website.pem

a. convert generated .pem file into key file using below command.

openssl rsa -text -in website.pem

Copy the generated context into one file named website.key. example of key file is given below.

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAgVa6C3+/p3AfEn1ZW8KgnxAegMgjv/AllpBEeC0lB2gAkecS
xvraI+PyyzjI7maEktIPw4k2TXafsl/OYZXbPOXpSVaeIZyKCW80RsApDvJysJq/
V0g6WQKBgQCzJMUlOXFUrPKelDfhS4/7YNYmm2+ztcj/X7SXMvaA7vY424KHc9br
MzqnExB01Ge1VDB5xKrEeWtcp30mQ8E9KQfVEIlJO4dsCDVL32+beY57kWbIivlC
mf3YvqeBdnRRSjanxn5bsHqu91GLP4jQIuBNKkz8dRYwBSVcZnb1SA==
-----END RSA PRIVATE KEY-----

b. create combine certificate file by combining CRT and Chain certificate file.
cat website.crt > website-combine.crt
cat website-ca.crt > website-combine.crt

c. open SSL configuration file of nginx.

/etc/nginx/conf.d/ssl.conf

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name domainname.in;
    ssl_certificate /$PATH-TO-SSL/website.crt;
    ssl_certificate_key /$PATH-TO-SSL/website.key;;
    # SSL Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 4h;
    ssl_session_tickets off;
   # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /$PATH-TO-SSL/website-combine.crt;
        location / {
                proxy_pass              https://tomssl/;
                proxy_set_header        Host               $host;
                proxy_set_header        X-Real-IP          $remote_addr;
                proxy_set_header        X-Forwarded-For    $remote_addr;
                proxy_set_header        X-Forwarded-Host   $host:443;
                proxy_set_header        X-Forwarded-Server $host;
                proxy_set_header        X-Forwarded-Port   443;
                proxy_set_header        X-Forwarded-Proto  $scheme;
                allow all;
        }
        error_page 500 502 503 504 /server-busy.html;
        location = /server-busy.html {
                root /usr/share/nginx/html;
                internal;
        }
}
d. Restart Nginx.
nginx -t
systemctl restart nginx

4. Setup SSL in apache webserver.

Open SSL configuration file of apache. and add below configuration.

/etc/apache2/sites-available/default-ssl.conf
        <VirtualHost *:443>
                <Directory /path/to/website/dir>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Require all granted
                </Directory>
                ServerAdmin purval@test.com
                ServerName impurval.blogspot.com
                ServerAlias www.impurval.blogspot.com
                DocumentRoot /path/to/website/dir
                ErrorLog ${APACHE_LOG_DIR}/website.log
                #CustomLog ${APACHE_LOG_DIR}/phpmyadmin_access.log combined
                SSLEngine on
                SSLCertificateFile "/path/to/ssl/website.crt"
                SSLCertificateKeyFile "/path/to/ssl/website.key"
                SSLCertificateChainFile "path/to/ssl/website-ca.crt"
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>
                Protocols h2 h2c http/1.1
        </VirtualHost>
Restart apache.
apachectl -t
/etc/init.d/apache2 restart

5. Setup free Lets encrypt SSL.

Please note that this SSL certificates are available fro 3 months only then we have to renew it.
1. Install certbot package if not installed.

apt-get install certbot
2. If webserver is already running on port 443 with SSL then need to stop application first.
3. Generate certificates using below command.
sudo certbot certonly --standalone -d domain-name.com

4. Add the configuration entry into configuration file. below is the configuration settings of SSL for tomcat webserver.

nano $CATALINA_BASE/config/server.xml

<SSLHostConfig hostName="domain-name.com">

                 <Certificate certificateFile="/etc/letsencrypt/live/domain-name.com/cert.pem"

                    certificateKeyFile="/etc/letsencrypt/live/domain-name.com/privkey.pem"

                    certificateChainFile="/etc/letsencrypt/live/domain-name.com/chain.pem" />

</SSLHostConfig>

Monday, 3 July 2023

Block specifc web access call using nginx

 Task:

Block specific web calls (e.g. /webservice?token=test123) and allow other calls using nginx.

Solution:

1. make changes in below nginx configuration file.

nano /etc/nginx/conf/80.conf

upstream backend {
    ip_hash;
    server 172.31.25.94;
}
server {
    listen 80;
    listen      [::]:80;
        ## Block  test123 call        
        location /webservice {
            if ($arg_token = "test123") {
                return 403;
            }
            proxy_pass  http://backend;
        }
        ## Block  test123 call        
        location / {
                proxy_pass  http://backend;
                proxy_set_header        Host              $http_host;
                proxy_set_header        X-Forwarded-By    $server_addr:$server_port;
                proxy_set_header        X-Forwarded-For   $remote_addr;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_set_header        X-Real-IP         $remote_addr;
        }
}

Same thing need to do this in ssl.conf file as well.

2. verify nginx  configuration.

nginx -t

3. reload nginx service.

systemctl reload nginx

Thursday, 9 March 2023

Nagios NRPE client install on ubuntu 22.04

 Install NRPE agent from default ubuntu Repos.
 
apt install nagios-nrpe-server
 
Configuration changes:
 
nano /etc/nagios/nrpe.cfg
 
 
command[check_disk]=/usr/lib/nagios/plugins/check_disk  -w 60 -c 50 -u GB -p /
 
allowed_hosts=127.0.0.1,$nagios_server_ip
 
 
Restart service:
/etc/init.d/xinetd restart
/etc/init.d/nagios-nrpe-server restart
 
 
Nagios server configurations:
 
nano /nagios/server/directory/server.cfg
 
define host{
use                             linux-server
host_name                       hostname
alias                           hostname
address                         IP
max_check_attempts              2
check_period                    24x7
notification_interval           30
notification_period             24x7
}
define service{
        use                     generic-service
        host_name               hostname
        service_description     Disk Usage
        check_command           check_nrpe!check_disk!-a '-w 60 -c 50 -u GB -p /'
}

 
 
 
 

Wednesday, 25 January 2023

Convert MBR to GPT in AWS

 First check partition type of existing disk.

 parted -l




 

To convert MBR to GPT, create one partition with gpt and that will convert entire disk from msdos to gpt.

gdisk /dev/nvme0n1

■ n (i.e. new partition)
■ Enter (i.e Partition number : 2-128, default 2)
■ Enter (i.e. First sector : default = 34)
■ Enter (i.e. Last sector : default = 2047)
■ ef02 (i.e. Type of partition: BIOS boot partition)
■ w (i.e. Write the new partition table)
■ Y (i.e. Complete process)


Reload the partition table 


partprobe /dev/nvme0n1  

Re-install the GRUB boot loader using the new partition scheme 


grub-install /dev/nvme0n1
 

Increasing EBS volume 


growpart /dev/nvme0n1 1
resize2fs /dev/nvme0n1p1

Now Re-check the partition table created properly or not.

parted -l



CISCO AnyConnect VPN Client in Ubuntu

OpenConnect is a client for Cisco’s AnyConnect VPN. It is free software, and is released under the GNU LGPL v2.1 . Getting connected to an AnyConnect VPN is easy with OpenConnect and the TUN/TAP kernel module that is built into the Linux kernel.
 
1. First run command below to active th TUN module:
 
sudo /sbin/modprobe tun
 
2. Install OpenConnect:
 
sudo apt-get install openconnect
 
3. Connect to VPN, run:
 
sudo openconnect yourvpn.example.com
 
It prompts you to type in username and password. Once these are authenticated, the VPN connection is established.

SSH not working with password after upgrade ubuntu 22.04 or above

In recent upgrade of ubuntu 22.04 and above we are not able to login server with SSH password. but when we try to login with key then it all...