self-signed ssl-client-authentication

Hello guys,
welcome back on my blog so lets get start with the stuff.

SSL’s primary function on the Internet is to facilitate encryption and trust that allows a web browser to validate the authenticity of a web site. However, SSL works the other way around too – client SSL certificates can be used to authenticate a client to the web server. Think SSH public/private key pairs, if that is familiar to you. In this blog post I will outline the steps to create a certificate authority certificate, sign a server certificate and install it in Apache, and create a client cert in a format used by web browsers.

Generate a certificate authority (CA) cert

The first step is to generate a CA certificate. This CA certificate does not need to be generated on your web server – it can sit on whatever machine you will use to generate SSL certificates. Once created, the CA cert will act as the trusted authority for both your server and client certs. It is the equivalent of the Verisign or Comodos in the real world of SSL, however you wouldn’t want to use your CA cert for a major public website as its trust isn’t going to be built into browsers everywhere.

Generate your CA certificate using this command:

openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.cer

Then keep them secret – keep them safe. If someone were to get a hold of these files they would be able to generate server and client certs that would be trusted by our web server as it will be configured below

Generate your Apache server SSL key and certificate.

Now that we have our CA cert, we can generate the SSL certificate that will be used by Apache.

1. Generate a server private key.

   openssl genrsa -out server.key 4096

2. Use the server private key to generate a certificate generation request.

   openssl req -new -key server.key -out server.req

3. Use the certificate generation request and the CA cert to generate the server cert.

   openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -days 1460 -outform PEM -out server.cer

4. Clean up – now that the cert has been created, we no longer need the request.

   rm server.req

Install the server certificate in Apache

My server is running Ubuntu 12.04.4 so all paths and commands referenced here are for that operating system.

1. Copy the CA cert to a permanent place. We’ll need to specify our CA cert in Apache since it is a self generated CA and not one that is included in operating systems everywhere.

   cp ca.cer /etc/ssl/certs/

2. Copy the server cert and private key to permanent place.

   cp server.cer /etc/ssl/certs/server.crt
   cp server.key /etc/ssl/private/server.key

3. Activate the SSL module in Apache.

   a2enmod ssl

4. Activate the SSL site in Apache and disable the HTTP site.

   a2ensite default-ssl
   a2dissite default

5. Edit /etc/apache2/sites-enabled/000-default-ssl (the config file for the SSL enabled site) and add:

   SSLCACertificateFile /etc/ssl/certs/ca.cer
   SSLCertificateFile    /etc/ssl/certs/server.crt
   SSLCertificateKeyFile /etc/ssl/private/server.key
   SSLVerifyClient require  #This is IMP line to make the thing work
   

6. Apply the config in Apache.

   service apache2 restart

   Generate a client SSL certificate

   1. Generate a private key for the SSL client.

      openssl genrsa -out client.key 4096

   2. Use the client’s private key to generate a cert request.

      openssl req -new -key client.key -out client.req

   3. Issue the client certificate using the cert request and the CA cert/key.

      openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

   4. Convert the client certificate and private key to pkcs#12 format for use by browsers.

      openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

   5. Clean up – remove the client private key, client cert and client request files as the pkcs12 has everything needed.

      rm client.key client.cer client.req

   Looks like a pretty similar process to generating a server certificate, huh?
   Lastly, import the .p12 file into your browser. On Windows you can double click the file to import into the operating system’s keystore that will be used by IE and Chrome. For Firefox, open the Options -> Advanced -> Certificates -> View Certificates -> Your Certificates and import the certificate.
   Now, visit your website with the browser where you imported the client certificate. You’ll likely be prompted for which client certificate to use – select it. Then you’ll be authenticated and allowed in!

Right now if you visit your https site, you will get an SSL error similar to “SSL peer was unable to negotiate an acceptable set of security parameters.” That is good – it means your site won’t accept a connection unless your browser is using a trusted client cert. We’ll generate one now.

as you can see in the below screen you will be only able to access the containt if you have the client cert.I have make few part dark for privacy..Hope you will get it.. Thanks and enjoy...

Install HipHop Virtual Machine on Ubuntu 14.04

Hello Guys,
Yesterday during a conversation  with my old friend I come across a  about the HHVM server. so I started looking for it. and as an Linux Administrator I want to know how I can install this and configure this. So here is a procedure.
steps required to install HHVM on Ubuntu 14.04 

The article will also illustrate how HHVM can be used by creating:

1. A command line 'Hello World' script in PHP
2. A web based 'Hello World' script written in PHP and served by the HHVM server

Prerequisites

The only prerequisite for this tutorial is a VPS with Ubuntu 14.04 x64 installed. Note that HHVM doesn't support any 32 bit operating system and they have no plans to add support for 32 bit operating systems.

What is HHVM?

HipHop Virtual Machine (HHVM) is a virtual machine developed and open sourced by Facebook to process and execute programs and scripts written in PHP. Facebook developed HHVM because the regular Zend+Apache combination isn't as efficient to serve large applications built in PHP.

According to their website, HHVM has realized over a 9x increase in web request throughput and over a5x reduction in memory consumption for Facebook compared with the Zend PHP engine + APC (which is the current way of hosting a large majority of PHP applications).

Installing HHVM

Installing HHVM is quite straightforward and shouldn't take more than a few minutes. Executing the following 4 commands from the command line will have HHVM installed and ready:

sudo -i && wget -O - http://dl.hhvm.com/conf/hhvm.gpg.key | apt-key add -
echo deb http://dl.hhvm.com/ubuntu trusty main | tee /etc/apt/sources.list.d/hhvm.list
apt-get update
apt-get install hhvm

To confirm that HHVM has been installed, type the following command:

hhvm --help

Integrating your HHVM with existing infrastructure well HHVM  stop supporting the build in web-server so we need to integrate it with apache2 or with NGINX two most popular web servers.

Using HHVM in the FastCGI Mode

Starting with version 3.0, HHVM can no longer be used in the server mode. This section will help you configure HHVM in the FastCGI mode with the Apache and Nginx servers.

With Apache

Configuring HHVM to work in the FastCGI mode with Apache is extremely simple. All you need to do is execute the following following script:

/usr/share/hhvm/install_fastcgi.sh

Running this script configures Apache to start using HHVM to process the PHP code. It'll also restart the Apache server so you don't have to do anything else.

With Nginx

If you are using Nginx with PHP-FPM, you'll have to modify the configuration file to disable the use of PHP-FPM. This file is normally located at /etc/nginx/sites-available/default

Look for the following section and make sure it's all commented (by adding a # at the beginning of each line)

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#       fastcgi_split_path_info ^(.+\.php)(/.+)$;
#       # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
#       # With php5-cgi alone:
#       fastcgi_pass 127.0.0.1:9000;
#       # With php5-fpm:
#       fastcgi_pass unix:/var/run/php5-fpm.sock;
#       fastcgi_index index.php;
#       include fastcgi_params;
#}

After doing this, execute the following script:

/usr/share/hhvm/install_fastcgi.sh

after execting the script we need to make a small change in file  /etc/apache2/mods-enabled/hhvm_proxy_fcgi.conf. replance the exesting line 

ProxyPassMatch ^/(.+\.(hh|php)(/.*)?)$ fcgi://127.0.0.1:9000/var/www/$1

with

ProxyPassMatch ^/(.+\.(hh|php)(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1e 

and we are done start the apache web server

Executing this script configures Nginx to start using HHVM to process the PHP code. It'll also restart the Nginx server so you don't have to do anything else.

Confirming that Apache/Nginx is Using HHVM

After you have configured your server to start using HHVM, it's always a good idea to confirm that the server (Apache or Nginx) is indeed using HHVM to process PHP.

You can do this by creating a test PHP file, let's say info.php and putting it in the public folder of your server (typically /var/www/html for Apache and /usr/share/nginx/html for Nginx). Now put the following content in this file:

<?php

echo  defined('HHVM_VERSION')?'Using HHVM':'Not using HHVM';

Now if everything is set up fine, when you access this file in the browser, you should see the following message:

Using HHVM

Important Note

HHVM has incorporated a lot of commonly used PHP extensions, making it easy to port a large number of applications without much fuss. However, if an application uses a PHP extension that hasn't been incorporated yet, choosing HHVM will break the application. The complete list of PHP extensions that have been ported over to HHVM can be found here