Networking

Hardware

Software

Consultation

 

Secure A Website

 
 

The following is a short tutorial of how to add security to an existing website. It is by no means a definitive guide and will simply get you started on the road to secure logins and secure transfer of information. It utilizes a self signed ssl certificate, so it should be used for personal not production websites. If you would like a secured production website you will have to get a certificate from a reputable source, for example VeriSign.


First, open a terminal, and switch to the root user.

Next, we need to create a private key, this is done with the 'openssl' command line tool. Type/copy the following into your command line, changing the file name 'mywebsite.key' to something apropriate:

openssl genrsa -out mywebsite.key 2048

Now, we create the public key from the private, again type/copy the following into the command line. The -key parameter should be the file you just created, the file name 'mywebsite.pem' should again be changed to something appropriate:

openssl req -new -x509 -key mywebsite.key -out mywebsite.pem -days 2048

After you press enter you will get the following:

 You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:CA
 State or Province Name (full name) [Some-State]:British Columbia
 Locality Name (eg, city) []:Victoria
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:2S Technology
 Organizational Unit Name (eg, section) []:Web Services
 Common Name (eg, YOUR name) []:mywebsite.com    <- If this was an email server this must be the servers domain name to avoid certificate errors from outlook.
 Email Address []:myemail@example.com

Answer the questions any way you'd like. The important one is the 'Common Name', a good answer would be your domain name, like '2stech.ca'.


Ensure that the two files are owned by root and have the correct permissions, then move them into the ssl private and public directories:

chmod 600 *.key
chmod 644 *.pem
mv mywebsite.key /etc/ssl/private/
mv mywebsite.pem /etc/ssl/certs/


The following is the basic config for the website, it should be placed in /etc/apache/sites-available. It can be named anything for example 'ssl.mywebsite.com'. The location and name of the site should be changed to match your own website.

<VirtualHost *:443>
   ServerAdmin webmaster@mywebsite.com
   DocumentRoot "/var/www/mywebsite"
   ServerName mywebsite.com
   ServerAlias www.mywebsite.com
   
      allow from all
      Options +Indexes
   
   SSLCipherSuite HIGH:MEDIUM
   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/mywebsite.pem
   SSLCertificateKeyFile /etc/ssl/private/mywebsite.key
</VirtualHost>

Now create a link from sites-available to sites-enabled:

ln -s /etc/apache/sites-available/ssl.mywebsite.com /etc/apache/sites-enabled/025-ssl.mywebsite.com

Restart apache to update the sites.


In order to have a query to your site at port 80(hhtp) be redirected, to port 443(https) add the following to your '.htaccess' file in your websites document root directory.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "mywebsite.com"
ErrorDocument 403 https://mywebsite.com