Protect Folder With Htpasswd In Apache
Below
is
showing what the end result will look like and what this article will
help you achieve.
Step
1 – Create the folder and set the permissions on it
If
the folder you want secured doesn’t exist, go ahead and create it. Then
set the correct permissions and owner for the folder. I am using
www-data as our folder owner as this is the owner that apache website
runs as.
1.
cd
/var/www/html
2.
mkdir
secured_folder
3.
chmod
744
secured_folder
4.
chown
www-data.www-data
secured_folder
5.
cd
secured_folder
Step
2 – Create your .htaccess file
Change
to
the ‘secured_folder’ and create an .htaccess file inside their with the
contents below. This will add the username and password security to the
folder.
1.
AuthUserFile /var/www/.htpasswd
2.
AuthGroupFile /dev/null
3.
AuthName "My
protected
files"
4.
AuthType Basic
5.
<Limit GET>
6.
require valid-user
7.
</Limit>
** the path to the .htpasswd is what you put there. You can multiple with
different names for each folder that you want to secure.
Step
3 – Create the username and password for .htpasswd file
Now
change
to the folder you want your .htpasswd is to be stored in. We specified
/var/www/.htpasswd as you can see the above for ‘AuthUserFile’. Then use
the htpasswd function in your command line to create the username and
password for the folder you want to secure. It is recommended that you
leave this file outside of the actual website folder.
1.
cd
/var/www/
2.
htpasswd
-c .htpasswd
username1
You
will
be asked to enter a password for ‘username1′.
**
Replace .htpasswd with what you created above. Can be folder specific.
Step
4 – Adding more users to .htpasswd file (optional)
If
you would like to add multiple users to the same .htpasswd file then
don’t add the ‘-c’ option.
1.
cd
/var/www
2.
htpasswd
.htpasswd
username2
3.
you will be asked to enter a password for 'username2'
4.
htpasswd
.htpasswd
username3
5.
you will be asked to enter a password for 'username3'
Now
when
you go to visit your page, it will prompt you to enter a username and
password before you can access the page.
** Replace
.htpasswd with what you created above. Can be folder specific.
Disable Apache Cache
https://ubiq.co/tech-blog/disable-apache-cache/
#Initialize mod_rewrite
RewriteEngine On
<FilesMatch "\.(html|htm|js|css)$">
FileETag None
<IfModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store,
must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 12 Jan 1980 05:00:00 GMT"
</IfModule>
</FilesMatch>
Link to folder share in Apache
This should be in your website conf
Alias
/library
/media/library
<Directory
/media/library/>
Options Indexes FollowSymLinks
AllowOverride
None
Order Deny,Allow
AuthName "Rich's
Personal Library"
AuthType Basic
AuthUserFile /var/www/lemmermann.tech/.library_htpasswd_file
Require valid-user
</Directory>
This should be similar in /etc/fstab
//192.168.1.77/WebDoc /media/library cifs
username=<user>,password=<pass>,defaults 0 0
renamed from eth0:
#
$ sudo nano /etc/default/grub
Look for “GRUB_CMDLINE_LINUX”
and add the following "net.ifnames=0
biosdevname=0"
From:
GRUB_CMDLINE_LINUX=""
To:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
Then Write the Changes:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.4.0-15-generic
Found initrd image: /boot/initrd.img-4.4.0-15-generic
Found memtest86+ image: /memtest86+.elf
Found memtest86+ image: /memtest86+.bin
done
https://www.itzgeek.com/how-tos/mini-howtos/change-default-network-name-ens33-to-old-eth0-on-ubuntu-16-04.html
SSL Cert in Apache
This is what the config file should look like. Essentially, you want to match up the appropriate files to the certificates that you're using.
<VirtualHost *:443>
ServerAdmin elearn@crouse.org
DocumentRoot /var/www/elearn
ServerName elearning.crouse.org
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/public.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
</VirtualHost>
SSL CSR with OpenSSL and Response
First, create a file for config of any SANs (Subject Alt Names) you need
ie: san.cnf
[
req ]
default_bits
= 2048
distinguished_name
= req_distinguished_name
req_extensions
= req_ext
[
req_distinguished_name ]
countryName
= Country Name (2 letter code)
stateOrProvinceName
= State or Province Name (full name)
localityName
= Locality Name (eg, city)
organizationName
= Organization Name (eg, company)
commonName
= Common Name (e.g. server FQDN or YOUR name)
[
req_ext ]
subjectAltName
= @alt_names
[alt_names]
DNS.1
= bestflare.com
DNS.2
= usefulread.com
DNS.3
= chandank.com
Create the CSR and Private Key now
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Verify SAN
openssl req -noout -text -in sslcert.csr | grep DNS
[root@Chandan test]# openssl req -noout -text -in sslcert.csr | grep DNS
DNS:bestflare.com, DNS:usefulread.com, DNS:chandank.com
[root@Chandan test]#
Create p12 file from CA Response
openssl pkcs12 -export -in <CAreply> -inkey private.key
-certfile <intermediates.cert.pem> -name "www.lemmermann.tech"
-out www.lemmermann.tech.p12
https://support.code42.com/Administrator/6/Configuring/Use_OpenSSL_to_install_a_keystore
https://geekflare.com/san-ssl-certificate/
Create pfx file from CA Response
openssl pkcs12 -export -in www_crouse_org.crt -inkey www_crouse_org.key -name "www.crouse.org" -out www.crouse.org.pfx
-certfile <intermediates.cert.pem> How to work with certs in Apache
Updated 2020-02-15 with newer instructions that make more sense
# WinSCP the wildcard cert (at time of writing), 2018-19-Wildcard.pfx, to the ~/
# WinSCP the intermediate cert to ~/
# You will need the password for the root combo pfx
# Copy the intermediate to its home (If applicable)
sudo cp
~/intermediate.crt
/etc/apache2/ssl/intermediate.crt
# Export public key
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [public.key]
# Copy the public key to its home
sudo cp
~/public.key /etc/apache2/ssl/public.key
# Extract the Private cert from the pfx
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [private-encrypted.key]
# Copy the private key to its home
sudo cp
~/private-encrypted.key /etc/apache2/ssl/private-encrypted.key
# This will remove the key so that Apache2 can start without having to sign in to paste in the key
sudo openssl rsa
-in ~/private-encrypted.key -out
/etc/apache2/ssl/private.key
# Restart Apache2
sudo
/etc/init.d/apache2
restart
https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
https://stackoverflow.com/questions/15413646/converting-pfx-to-pem-using-openssl
https://serverfault.com/questions/160768/stop-apache-from-asking-for-ssl-password-each-restart
PEM with RSA Private key (ie NetScaler)
Example with this: snet.crouse.org_password.pfx
openssl pkcs12 -in snet.crouse.org_password.pfx -out snet.crouse.org_2020.pem -nodes
openssl rsa -outform der -in snet.crouse.org_2020.pem -out snet.crouse.org_2020_rsa_private.key
penssl x509 -outform der -in snet.crouse.org_2020.pem -out snet.crouse.org_2020_private.cer
https://discussions.citrix.com/topic/397777-netscaler-ver-121-cannot-import-ssl-pfx-error-no-certificates-present-in-the-certificate-bundle-file-rapidssl-digicert-entrust/
How to get .pem file from .key and .crt files?
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
Remove password from a PFX file
openssl pkcs12 -in pfx.pfx -nodes | openssl pkcs12 -export -keypbe NONE -certpbe NONE -out output.pfx
https://security.stackexchange.com/questions/195080/how-to-convert-my-cert-chain-to-pfx-without-a-password
Get all Trusted Root Certs ,trusted
# Use rootups on Windows to download all Trusted Root Authorities
# Select all and export with a key
# SCP to Linux box
# Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it)
sudo openssl pkcs12
-in AllRoots.pfx
-out
/usr/local/share/ca-certificates/allroots.crt -cacerts
# into /usr/local/share/ca-certificates and name it with a .crt file extension.
sudo update-ca-certificates.
Validate cert chain of website
openssl s_client -showcerts -connect www.domain.com:443
PFX to PEM, quickly
openssl pkcs12 -in d:\Temp\cert.pfx -out d:\Temp\cert.pem -nodes
The -nodes removes the password from the created PEM file. If you
wish to maintain the password encryption omit the -nodes however this
may make it difficult to use the PEM file on your device. You will be
prompted to type the password for the pfx file.
https://www.itprotoday.com/windows-78/converting-certificate-files-pfx-format-pem
DER to CRT/PEM (to base64), quickly
As you have the
openssl tag on your question, you should use:
openssl x509 -inform der -in infile.cer -out outfile.cer
In the reverse direction:
openssl x509 -outform der -in infile.cer -out outfile.cer
.
Apache ReWrite to SSL
$ sudo a2enmod rewrite
Put this in your *:80 section of your config
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Grab all subject alt name from a cert
openssl s_client -connect server.org:443 | openssl x509 -noout -text | grep DNS
Example with "google.com":
# Get all certs in a chain
openssl s_client -showcerts -verify 5 -connect $1:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}";
# mv "${cert}" "${newname}"
done
List Cert details
echo quit | openssl s_client -showcerts -servername $1 -connect $1:443 > cacert.pem
Let's Encrypt Generate a manual certificate
LetsEncrypt Certificate Request
sudo certbot run -a manual -i apache -d cal.lemmermann.tech