Friday 24 November 2017

Upgrading to https, part 1

The web is moving from http to https. The difference is that when you access the web via http, the server sends the page requested to your browser. When you access via https, the server encrypts the page, sends it to your browser, the browser decrypts it and you get to see it. Remember, there isn't a direct connection between the server and the browser, the info is forwarded via several other servers. And anyone on those other servers can see your info.

In the case of credit card info, that's a no-no. But in the case of most pages, it doesn't matter much. Except when it does - do you really want some third party monitoring your tweets? So https is becoming the default.

And the latest Chrome browser version, warns the user if the site they're accessing is using http and therefore not as secure as it could be. So now, there's an additional incentive to change to https. And that's what I'm aiming to do.

I use the apache web server because so do the majority of other web servers, plus I've been using it for 20 years. But before I could use https from my server, I had to upgrade it. Here's the plan:

1. Upgrade the server
2. Get certificates for each virtually hosted site that is hosted
3. Switch to https.

So first, to upgrade the server.

First, I needed to get the latest version of apache and any software that it depends on. To do that, I did a google search to download the tar.gz files, then untar them into the directories under a temp directory. And then:

openssl   ./config                                     make;make test;make install
apr        ./configure                                make;make test;make install
expat     ./configure                                make;make test;make install
apr-util  ./configure --with-apr=/usr/local/apr      make;make test;make install
yum install pcre-devel
pcre      ./configure                                make;make test;make install

Then apache. First, a carefully crafted configure. In particular, I enable ssl and rewrite. You'll see why rewrite later on - that's how I'll transparently convert http accesses into https.

./configure --prefix=/usr/local/apache2.4.29 --enable-ssl --with-ssl=/usr/local/ssl \
--enable-module=most --enable-rewrite --enable-alias --disable-status \
--disable-asis --disable-autoindex --disable-imap --with-pcre=/bin/pcre-config \
--disable-negotiation --disable-actions --disable-userdir \
--with-apr=/usr/local/apr --enable-ssl-staticlib-deps

And when that is done, "make" followed by "make install". That put the new version of apache into /usr/local/apache2.4.29. 

So then I edited httpd.conf to set it up the way my existing apache was, and copied over the include files for the virtual hosts.

Then I brought down the existing apache server with "systemctl stop httpd.service" (which takes a surprisingly long time, I think it's waiting for existing accesses to complete or something), and brought up the new server with "/usr/local/apache2.4.29/bin/apachectl start"

And then I accessed it from an outside server, and checked that it worked. Which it did! Hurrah.

Now to get the certificates.

No comments:

Post a Comment