apache https://tech.feedyourhead.at/ en Apache's "File-Extension-Feature" https://tech.feedyourhead.at/content/apaches-file-extension-feature <span class="field field--name-title field--type-string field--label-hidden">Apache&#039;s &quot;File-Extension-Feature&quot;</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Many years ago, someone mentioned on a congress that apache has an interesting feature: if apache doesn't know a file-extension, it will just take the next one. If someone saves a file called "<em>shell.php.ab</em>", apache would not know what to do with the extension ".<em>ab</em>". So it will just skip this one and uses the next one and the file "<em>evil.php.ab</em>" becomes "<em>evil.php</em>" and gets executed. I wondered how long it will take until a related bug will occur and I was not surprised when I read about<a href="http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt"> this nasty bug</a>.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Feb 01 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/apache" hreflang="en">apache</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=227&amp;2=comment&amp;3=comment" token="tfKY6E_UC8oGrphE4MGd22HVFSktdTWCDXVwFmTdiOA"></drupal-render-placeholder> </section> Wed, 01 Feb 2017 16:45:11 +0000 Hoti 227 at https://tech.feedyourhead.at Let's Encrypt https://tech.feedyourhead.at/content/lets-encrypt <span class="field field--name-title field--type-string field--label-hidden">Let&#039;s Encrypt</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="Letsenrypt" data-entity-type="file" data-entity-uuid="ab8fc64a-a62f-4e17-8d48-729a45365e04" src="/sites/default/files/inline-images/letsencrypt.jpg" /></p> <p><a href="https://letsencrypt.org">Lets Encrypt </a>was lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers.  I never understood why certificates are expensive that's why I tried out letsencrypt(and I like it!).</p> <p>In this article, I will replace all <a href="https://www.cacert.org/">cacert-certificates</a> on a <a href="https://kolab.org/">kolab-server</a>. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.</p> <h3>Installing letsencrypt</h3> <p>I just used git to obtain the letsencrypt-script:</p> <pre> <code> git clone https://github.com/letsencrypt/letsencrypt </code></pre> <p>Whenever letsencrypt is started it will search for dependencies and automatically install it using the package-manager of the Linux-distribution. So it's wise to open the help-page first:</p> <pre> <code> root@kolab:~/letsencrypt# ./letsencrypt-auto --help Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain &amp; install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication &amp; installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc) </code></pre> <h3>Different Modes</h3> <p>Letsencrypt can just create and download a certificate(certonly) or it can create the certificate and install it on different services( at the moment only nginx and apache seems to be supported for this).  There is a <a href="http://letsencrypt.readthedocs.org/en/latest/using.html#plugins">list in the letsencrypt-documentation</a> which option just creates the certificate and which option also installs it.</p> <h3>How to authenticate the host</h3> <p>Every certification-authority has to validate if you are really the owner of the domain where you want to install the certificate. Sometimes you have to set an entry in your dns-zone, or you just get an email to one of the mail-addresses of this dns-zone. Letsencrypt is a script executed on the targethost. It will just call home using HTTPS. But then the letsencrypt-server has to call back to your host to validate if it is really yours. If you don't  have a webserver on your host, letsencrypt can create a temporary <strong>standalone</strong> webserver for you and does the authentication automatically. I already have a webserver installed, so I can use my apache-Installation. Letsencrypt has an option called <strong>webroot.</strong> If you use this option for authentication, you will have to provider the path to your webroot and letsencrypt will then just create a temporary and hidden directory(.well-known) in this webroot. Be aware that letsencrypt only uses HTTP for validation. So if your server just listens on port 443 it won't work. Another option for authentication is <strong>manual</strong>. Using manual, one has to do the authentication by hand(I never tried that).</p> <h3>So let's encrypt</h3> <pre> <code> ./letsencrypt-auto certonly --rsa-key-size 4096 --webroot -w /var/www/html/ -d kolab.example.com </code></pre> <p>This command will create a certificate for kolab.example.com using the webroot /var/www/html for authentication. This certificate is stored in /etc/letsencrypt/live/kolab.example.com:</p> <pre> <code> root@kolab:~/letsencrypt# ls -l /etc/letsencrypt/live/kolab.example.com/ total 0 lrwxrwxrwx 1 root root 42 Jan 28 15:34 cert.pem -&gt; ../../archive/kolab.example.com/cert1.pem lrwxrwxrwx 1 root root 43 Jan 28 15:34 chain.pem -&gt; ../../archive/kolab.example.com/chain1.pem lrwxrwxrwx 1 root root 47 Jan 28 15:34 fullchain.pem -&gt; ../../archive/kolab.example.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Jan 28 15:34 privkey.pem -&gt; ../../archive/kolab.example.com/privkey1.pem </code></pre> <h3>Configuring the services</h3> <h4>Apache2( &gt;= 2.4.8 )</h4> <pre> <code> SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Apache2( &lt; 2.4.8 )</h4> <pre> <code> SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/kolab.example.com/chain.pem </code></pre> <h4>Nginx</h4> <pre> <code> ssl_certificate /etc/letsencrypt/live/kolab.example.com/fullchain.pem ssl_certificate_key /etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Postfix</h4> <pre> <code> smtpd_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem smtp_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Cyrus Imapd</h4> <pre> <code> tls_server_cert: /etc/letsencrypt/live/kolab.example.com/cert.pem tls_server_key: /etc/letsencrypt/live/kolab.example.com/privkey.pem tls_server_ca_file: /etc/letsencrypt/live/kolab.example.com/chain.pem </code></pre> <p>DEBIAN-USERS: This won't work out of the box. Cyrus needs to have set the group-permissions for the certificate-files correctly:</p> <pre> <code> 403119 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/archive 403129 4 -rw-r--r-- 1 root ssl-cert 3272 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/privkey1.pem 403130 4 -rw-r--r-- 1 root ssl-cert 1675 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/chain1.pem 403128 4 -rw-r--r-- 1 root ssl-cert 2151 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/cert1.pem 403131 4 -rw-r--r-- 1 root ssl-cert 3826 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/fullchain1.pem 403120 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/live </code></pre> <h3>Renewal</h3> <p><a href="http://letsencrypt.readthedocs.org/en/latest/using.html#renewal">Letsencrypt says on it's page</a>:</p> <blockquote> <p>Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.</p> </blockquote> <p>Let's create a renewal-script(/opt/letsrenew.sh):</p> <pre> <code> #!/bin/bash /opt/letsencrypt/letsencrypt-auto certonly --config /opt/letsencrypt/cli.ini --webroot -w /var/www/html/ -d kolab.example.com service apache2 restart service postfix restart service cyrus-imapd restart </code></pre> <p>So we can just create a cronjob(At 00:00 on the 1st in Jan, Mar, May, Jul, Sep and Nov):</p> <pre> <code> 0 0 1 */2 * /opt/letsrenew.sh &gt; /dev/null </code></pre> <p>Our /opt/letsencrypt/cli.ini looks like this:</p> <pre> <code> agree-tos renew-by-default = True </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 30 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kolab" hreflang="en">Kolab</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/apache" hreflang="en">apache</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <div class="node__links"> <ul class="links inline"><li class="comment-add"><a href="/content/lets-encrypt#comment-form" title="Share your thoughts and opinions." hreflang="en">Add new comment</a></li></ul> </div> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class="title">Comments</h2> <article data-comment-user-id="0" id="comment-43" about="/comment/43" typeof="schema:Comment" class="comment js-comment by-anonymous"> <mark class="hidden" data-comment-timestamp="1465486717"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/user/0" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" typeof="schema:Person" property="schema:name" datatype="">DoktorBen (not verified)</span> on May 26 2016</span> <span property="schema:dateCreated" content="2016-05-26T08:21:35+00:00" class="rdf-meta hidden"></span> </p> <a href="/comment/43#comment-43" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/43#comment-43" class="permalink" rel="bookmark" hreflang="en">not working</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item"><p>Hello,</p> <p>I followed your steps but cyrus cant access the certs<br /> May 26 10:20:37 post imaps[13762]: unable to get certificate from &#039;/etc/letsencrypt/live/post.example.com/cert.pem&#039;<br /> May 26 10:20:37 post imaps[13762]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?<br /> May 26 10:20:37 post imaps[13762]: error initializing TLS</p> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=43&amp;1=default&amp;2=en&amp;3=" token="0CBfscSMVhEtdl-7xNrRgPHHetR-E1pufZ6nBV81nNA"></drupal-render-placeholder> </div> </article> <div class="indented"> <article data-comment-user-id="1" id="comment-56" about="/comment/56" typeof="schema:Comment" class="comment js-comment by-node-author"> <mark class="hidden" data-comment-timestamp="1465486795"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/users/hoti" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span> on Jun 09 2016</span> <span property="schema:dateCreated" content="2016-06-09T15:39:55+00:00" class="rdf-meta hidden"></span> </p> <p class="parent visually-hidden">In reply to <a href="/comment/43#comment-43" class="permalink" rel="bookmark" hreflang="en">not working</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">DoktorBen (not verified)</span></p> <a href="/comment/56#comment-56" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/56#comment-56" class="permalink" rel="bookmark" hreflang="en">I had a similar problem, and…</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item">I had a similar problem, and it turned out that the permissions of the keys/directories were wrong. Make sure that cyrus is able to read the files.</div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=56&amp;1=default&amp;2=en&amp;3=" token="V1Qu_29upv6yDqy15gnEIfgDsb3NNBTcwTZyVhh4JBc"></drupal-render-placeholder> </div> </article> </div> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=153&amp;2=comment&amp;3=comment" token="pc1RY_oYvkTBR6bosei7Urkg8_WX0lhDhQcvRdTyBG4"></drupal-render-placeholder> </section> Sat, 30 Jan 2016 10:04:41 +0000 Hoti 153 at https://tech.feedyourhead.at Apache2: Upgrading from 2.2 to 2.4 https://tech.feedyourhead.at/content/apache2-upgrading-22-24 <span class="field field--name-title field--type-string field--label-hidden">Apache2: Upgrading from 2.2 to 2.4</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="" src="http://tech.feedyourhead.at/sites/tech.feedyourhead.at/files/pictures/apache.png" /></p> <p>&nbsp;</p> <p>If you Upgrade your Debian Webservers to the new Debian-relase "Jessie", you might experience some issues with the config-syntax of Apache2.4.</p> <p>Here are some examples of old and new ways to do the same access control:</p> <h3>2.2 configuration:</h3> <pre> <code> Order deny,allow Deny from all </code></pre> <h3>2.4 configuration:</h3> <pre> <code> Require all denied </code></pre> <h3>2.2 configuration:</h3> <pre> <code> Order allow,deny Allow from all </code></pre> <h3>2.4 configuration:</h3> <pre> <code> Require all granted </code></pre> <h3>2.2 configuration:</h3> <pre> <code> Order Deny,Allow Deny from all Allow from example.org </code></pre> <h3>2.4 configuration:</h3> <pre> <code> Require host example.org </code></pre> <p>I really recommend to have a look at the <a href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache's Upgrade Site</a> to get an overview of the changes</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 03 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/apache" hreflang="en">apache</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=82&amp;2=comment&amp;3=comment" token="i3C847rce9DSNMx3BdMNWBdStMFHXLzqcFVgxtrZheQ"></drupal-render-placeholder> </section> Sun, 03 May 2015 09:21:49 +0000 Hoti 82 at https://tech.feedyourhead.at