Authentication in Apache

I wanted to restrict access to a directory on my web server. It’s quite easy by adding an Authentication directive in the site’s configuration file (in /etc/apache2/sites-available/; preferred) or in a .htaccess file in the directory itself.

Create the user and password:

<pre class="src src-sh">htpasswd -c /path/to/my/specified/password/file user.name <span style="color: #ff4500;">## </span><span style="color: #ff4500;">place file to a place that is not accessible on the web, maybe where htdocs is located.</span>

## enter password

In the site’s configuration file, add a directory directive and add in Authentication. It should look something like:

<pre class="src src-sh">AuthType Basic

AuthName “Restricted Files” # (Following line optional) AuthBasicProvider file AuthUserFile /path/to/my/specified/password/file Require user user.name

For many people, I can use groups.

Pretty easy. Note that the user will be able to access that directory from the browser until the browser is closed.

SSL in Apache

I recently tested setting up SSL for my web server. I will outline how I set this up using a self-signed certificate. Some useful references are this, this, this, and this.

I assume Apache is up and running and OpenSSL is installed.

Set up SSL certificates:

<pre class="src src-sh">sudo a2enmod ssl

cd /etc/apache2 sudo openssl genrsa -des3 -out server.key 1024 ## leave out -des3 so I don’t have to enter passphrase every time sudo openssl req -new -key server.key -out server.csr sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt sudo cp server.crt /etc/ssl/certs/ sudo cp server.key /etc/ssl/private/

Now, place the following in the site configuration file (in /etc/sites-enabled/) before ==:

<pre class="src src-sh">SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key

For example, I changed my /etc/apache2/sites-available/www.mydomain.com from

<pre class="src src-sh"><span style="color: #ff4500;"># </span><span style="color: #ff4500;">Basic setup</span>

ServerAdmin my.email@my.domain.com ServerName www.mydomain.com DocumentRoot /home/user/www.mydomain.com/htdocs/

# HTML documents, with indexing.

Options +Includes

# CGI Handling ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI

# Logfiles ErrorLog /home/user/www.mydomain.com/logs/error.log CustomLog /home/user/www.mydomain.com/logs/access.log combined

to

<pre class="src src-sh"><span style="color: #ff4500;">## </span><span style="color: #ff4500;">following 2 for ssl</span>

NameVirtualHost *:443 NameVirtualHost *:80

# Basic setup ServerAdmin my.email@my.domain.com ServerName www.mydomain.com DocumentRoot /home/user/www.mydomain.com/htdocs/

# HTML documents, with indexing.

Options +Includes

# CGI Handling ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI

# Logfiles ErrorLog /home/user/www.mydomain.com/logs/error.log CustomLog /home/user/www.mydomain.com/logs/access.log combined

# Basic setup ServerAdmin my.email@my.domain.com ServerName www.mydomain.com DocumentRoot /home/user/www.mydomain.com/htdocs/

# HTML documents, with indexing.

Options +Includes

# CGI Handling ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI

# Logfiles ErrorLog /home/user/www.mydomain.com/logs/error.log CustomLog /home/user/www.mydomain.com/logs/access.log combined

# Authenticatiion

ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI

# Logfiles ErrorLog /home/user/www.mydomain.com/logs/error.log CustomLog /home/user/www.mydomain.com/logs/access.log combined

SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key

Now I can use both http or https when accessing my site.

I run multiple sites on the same server. I wanted to use SSL on one or all of these sites, but that is not possible without having a static IP for each site. The reason is the HTTP header is encrypted, so Apache doesn’t know which site to take you to. See this and this for explanations.

Server Applications

I would like to compile a list of server applications that are available out there that I might use some day (or am using now). My preferences for software are GPL-based, lightweight, easy to setup up, easy to administer, easy to use, and widely-used (to get support). Most of these were found based on my experiences on the web or from searching.

For my web server, I have Ubuntu as the OS with Apache, MySQL, and /php, i.e., LAMP).

  1. UPDATE 1/8/2011 Web server: Apache is standard and most popular. nginx is supposedly a lot faster and more stable, especially for static content; it is also easy to configure. lighttpd and Mongoose are other alternatives. Here is a list and comparison.
  2. UPDATE 1/8/2011 Database: MySQL and PostgreSQL are popular open source programs. A list here.
  3. Content publishing/management system (CMS), e.g., blogs: WordPress, Joomla and Drupal (requires more knowledge of html and css). I use WordPress as my blogging platform. Most content websites I visit are using one of these platforms. Comparisons here. UPDATE 1/19/2011 For something simpler, consider PyBlosxom, or some solution that involves emacs and org-mode.
  4. Forum: phpBB. Comparisons here)
  5. Wiki: MediaWiki, MoinMoin, dokuwiki, mojomojo. Comparisons here.
  6. Audio and video streaming: GNUMP3d MPEG4IP, Ampache, Subsonic. I currently use Ampache, but might test out GNUMP3d some day. Note you can also use VLC to stream. A list here
  7. Images/pictures/photos: Gallery and phpGraphy. A comparison here and my testing of a few different applications here.
  8. Customer relationship management (CRM): vtiger, openCRX. A short list is here and a list of lists is here.
  9. Mailing list: Mailman is king; Majordomo. A short list can be found here.
  10. Single sign-on (SSO), Central Authentication Service (CAS): If the above services are related, consider integrating OpenID using a plugin (?). Some open source softwares are OpenAM, CoSign, jasig.
  11. Data collection, surveys, forms: LimeSurvey, phpESP, RedCAP (not open source; institutions only), Form Tools, and orbeon. This list of open source healthcare software might help.
  12. UPDATE 12/20/2010 Software Configuration Management (SCM) or Revision Control Software: of course, git or maybe Subversion. A comparison here.
  13. UPDATE 12/20/2010 Issue-tracking systems (bug tracking, help desk, service desk, tickets): Trac (interface with svn by default; can add git through a plugin) and Bugzilla for for source code (bugs), and OTRS, os Ticket, Request Tracker or eticketsupport for help desk. A comparison here; another here; stack overflow post.
  14. UPDATE 12/20/2010 Collaborative Software Development (Forge): FusionForge (descendant of the open source GForge). A list can be found here).
  15. UPDATE 12/20/2010 School-related: SchoolTool, Open Admin and Open School for administration (School Management Software). Check out Edubuntu and skolelinux as OS’s for students. Moodle is a Course Management Software (CMS) or Learning Management Software. Many more (different categories) can be found on SchoolForge. Loads of useful links and information regarding Linux and Education at this post.
  16. UPDATE 1/1/2011 Mail Server: See this and this. Looks like I would need Postfix (MTA) + many others, e.g., see this.
  17. UPDATE 1/8/2011 Enterprise Resource Planning (ERP) = CRM + HRMS, of which PeopleSoft is an example: Compiere and OpenERP; a list here and here.
  18. UPDATE 1/8/2011 Job portal/board: jobberBase; a list here.
  19. UPDATE 1/19/2011 Blog aggregators: Planet Venus, used by Planet Emacsen, or some wordpress plugins, used by R Bloggers (I think).
  20. UPDATE 8/29/2011 Question and Answer site like Stack Overflow and the Stack Exchange suite: OSQA and shapado; list here.

UPDATE 1/1/2011 See this list for applications of different types.

home server + port forwarding

so i started running my own servers, one at school and one at home to test things such as a webserver. at school, no problem. got them to give me a hostname and to open certain ports (22 and 80).

at home, since i’m on a home network which has one public ip to my router, i have to use port forwarding for the outside world to connect to my home server. i had a lot of trouble with this as i couldn’t access my home server from inside, blaming that the problem was from my westell 9100em router, the one that came with verizon fios. i tried to bridge another router (as my main router) since i thought the router was the problem. however, the instructions were too damn complicated and the actiontec instructions did not match my westell. to fix it i even managed to switch from coax connection from the ONT box to ethernet and ran my own cable, and using my own router (trendnet). however, after setting up port forwarding, things still did not work.

long story short, i got it to work learning 2 things: 1. u can’t connect to your public ip from inside the network. u have to connect to the public ip from outside the network. to test this, i ssh to my server at school and ssh back home. 2. even though u set ur router to forward the port, ur computer may still be blocking outside connections. this was the case for mac os x. u have to set it to accept all incoming connections or to allow certain services/port; turning those servers on were not enough. in mac os x, u go to system preferences > security > firewall.

for servers in your home network, you should set them up to have a static ip, preferably outside the dhcp range. for ex, dhcp should give 100-255, and use 2-99 for static. i forward 22 -> 22 (ssh) and 80 -> 80 (http) for one of my server. to get my laptop going, i set something like 80000 -> 22 and 90000 -> 80. that way i can access both computers.

this took a lot of trial and error and learning. i have to say i took like 3 attempts, each with about 3 days of work to figure out. very inefficient i must say, but now i got things working so i can channel my energy to things that are more important to me, although these aren’t done in vain…i will make use of these servers for the things i’m about to do for school.

another note. i set the router to update a dyndns, and i forward my domain to this dyndns name. this way even if my ip refreshes i can still update it.

i like my cheap trendnet router so far. since the actiontec was not at fault, i could have gone back to coax. however, i ran a cat6 cable…this should be good. even if i get fios tv, i think i can go from my router (or any router i choose) to the actiontec and still have things working. i like the fios to be ethernet based so i am free to choose any routers i want, like my cheap wireless n trendnet router.