Archive for the ‘Lighttpd’ Category

Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

  1. Install OpenSSL.
  2. Run the command bellow to generate a new key store called “server.key
    openssl genrsa -des3 -out /tmp/server.key 1024
  3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

    openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

  4. Run the command bellow to backup the key store file that has a password:
    cp /tmp/server.key /tmp/server.key.bak
  5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
  6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
  7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

  • server.key – Key store file
  • server.crt – Server SSL public key file
  • no.pwd.server.key – Key store file (without a password)
  • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
  • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

How to implement SSL on Lighttpd 1.4.26

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /etc/lighttpd/ssl
    chmod 600 /etc/lighttpd/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
  8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
    cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
  9. Remove the original server.crt file:
    rm -f /etc/lighttpd/ssl/server.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
  12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
    $SERVER["socket"] == "Server_FQDN:443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
    server.name = "Server_FQDN"
    server.document-root = "/www"
    server.errorlog = "/var/log/lighttpd/serror.log"
    accesslog.filename = "/var/log/lighttpd/saccess.log"
    ssl.use-sslv2 = "disable"
    ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
    }
  13. Restart the Lighttpd service.

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd lighttpd
    useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Lighttpd environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-49.x86_64.rpm
    rpm -ivh glibc-devel-2.5-49.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
  5. Download Lighttpd 1.4.26 from:
    http://www.lighttpd.net/download/
  6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the lighttpd-1.4.26.tar.gz file:
    tar -zxvf lighttpd-1.4.26.tar.gz
  9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
  10. Move to the Lighttpd source folder:
    cd /tmp/lighttpd-1.4.26
  11. Run the commands bellow to compile the Lighttpd environment:
    ./configure --with-openssl --without-bzip2

    make

    make install

  12. Create the following folders:
    mkdir -p /etc/lighttpd
    mkdir -p /var/log/lighttpd
    mkdir -p /var/cache/lighttpd/compress
  13. Copy the lighttpd.conf file:
    cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
  14. Updating Ownership and Permissions on Lighttpd folders:
    chown lighttpd:lighttpd /var/log/lighttpd
    chown lighttpd:root /etc/lighttpd/lighttpd.conf
    chown lighttpd:lighttpd /var/cache/lighttpd/compress
    chmod o-r /etc/lighttpd/lighttpd.conf
    chmod -R o-r /var/log/lighttpd
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
    From:
    server.document-root = "/srv/www/htdocs/"To:
    server.document-root = "/www"

    From:
    #server.bind = "127.0.0.1"To:
    server.bind = "Server_FQDN"

    From:
    # server.tag = "lighttpd"To:
    server.tag = "Secure Web Server"

    From:
    #server.username = "wwwrun"To:
    server.username = "lighttpd"

    From:
    #server.groupname = "wwwrun"To:
    server.groupname = "lighttpd"

    From:
    #dir-listing.activate = "enable"To:
    dir-listing.activate = "disable"

  18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
    LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
  19. To manually start Lighttpd use the command:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  21. Remove the Lighttpd source files:
    rm -rf /tmp/lighttpd-1.4.26
    rm -f /tmp/lighttpd-1.4.26.tar.gz
  22. Uninstall the following RPM:
    rpm -e gcc-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49
    rpm -e kernel-headers-2.6.18-194.el5