Ignore SSL certificate errors when using Curl
curl -k https://expired.badssl.com
References
https://reqbin.com/req/c-ug1qqqwh/curl-ignore-certificate-checks
Daily Notes of a Programmer
curl -k https://expired.badssl.com
References
https://reqbin.com/req/c-ug1qqqwh/curl-ignore-certificate-checks
sudo a2enmod proxy_http sudo a2enmod proxy_fcgi sudo a2enmod proxy_wstunnel
# VirtualHost ms.example.net <VirtualHost *:80> ServerName ms.example.net ProxyRequests Off ProxyPreserveHost On RemoteIPHeader X-Forwarded-For <Proxy *> Order deny,allow Allow from all </Proxy> RewriteEngine On RewriteCond %{REQUEST_URI} ^/socket.io [NC] RewriteCond %{QUERY_STRING} transport=websocket [NC] RewriteRule /(.*) ws://localhost:14102/$1 [P,L] ProxyPass /socket.io http://localhost:14102/socket.io ProxyPassReverse /socket.io http://localhost:14102/socket.io </VirtualHost> <VirtualHost *:443> ServerName ms.example.net ProxyRequests Off ProxyPreserveHost On RemoteIPHeader X-Forwarded-For RewriteEngine on <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem RewriteEngine On RewriteCond %{REQUEST_URI} ^/socket.io [NC] RewriteCond %{QUERY_STRING} transport=websocket [NC] RewriteRule /(.*) ws://localhost:14102/$1 [P,L] ProxyPass /socket.io http://localhost:14102/socket.io ProxyPassReverse /socket.io http://localhost:14102/socket.io </VirtualHost>
Use a secure URL for your initial connection, i.e. instead of “http://” use “https://”. If the WebSocket transport is chosen, then Socket.IO should automatically use “wss://” (SSL) for the WebSocket connection too.
var socket = io.connect('https://localhost', {secure: true});
References
http://xpo6.com/socket-io-via-apache-reverse-proxy/
https://stackoverflow.com/questions/36472920/apache-proxy-configuration-for-socket-io-project-not-in-root
https://gist.github.com/iacchus/954e0787d6893c5ab8e1
https://stackoverflow.com/questions/6599470/node-js-socket-io-with-ssl
sudo certbot --apache -d example.com -d www.example.com
Installing Certbot
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache
Set Up the SSL Certificate
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a
ServerName
directive that matches the domain you request a certificate for.
Obtaining an SSL Certificate
sudo certbot --apache -d example.com -d www.example.com
This runs
certbot
with the--apache
plugin, using-d
to specify the names you’d like the certificate to be valid for.
Verifying Certbot Auto-Renewal
sudo certbot renew --dry-run
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
http-server -S -C cert.pem -o
Use 127.0.0.1 as value for “Common name”
References
https://stackoverflow.com/questions/35127383/npm-http-server-with-ssl
Installing Mosquitto
sudo add-apt-repository ppa:mosquitto-dev/mosquitto-ppa sudo apt-get update sudo apt-get install mosquitto mosquitto-clients
Installing Certbot for Let’s Encrypt Certificates
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
Running Certbot
sudo ufw allow 80 sudo ufw allow 443
sudo certbot certonly --standalone
Enter your domain : mqtt.example.com
Setting up Certbot Automatic Renewals
sudo crontab -e
. . . 15 3 * * * certbot renew --noninteractive --post-hook "systemctl restart mosquitto"
Configuring MQTT Passwords
sudo mosquitto_passwd -c /etc/mosquitto/passwd sammy
sudo nano /etc/mosquitto/conf.d/default.conf
allow_anonymous false password_file /etc/mosquitto/passwd
sudo systemctl restart mosquitto
Configuring MQTT SSL
sudo nano /etc/mosquitto/conf.d/default.conf
. . . listener 1883 localhost listener 8883 certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem
sudo systemctl restart mosquitto
sudo ufw allow 8883
NameVirtualHost *:80 <VirtualHost *:80> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs Redirect /secure https://mysite.example.com/secure </VirtualHost> <VirtualHost _default_:443> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
When redirecting everything you don’t even need a DocumentRoot:
NameVirtualHost *:80 <VirtualHost *:80> ServerName www.example.com Redirect / https://secure.example.com/ </VirtualHost> <VirtualHost _default_:443> ServerName secure.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
Note: Once the configuration is working as intended, a permanent redirection can be considered. This avoids caching issues by most browsers while testing. The directive would then become:
Redirect permanent / https://secure.example.com/
—————
<Directory /topsecret> SSLRequireSSL </Directory>
References
https://wiki.apache.org/httpd/RedirectSSL
https://serverfault.com/questions/429634/restrict-apache-to-only-allow-access-using-ssl-for-some-directories
https://www.tecmint.com/redirect-http-to-https-on-apache/
sudo apt-get install python-letsencrypt-apache
letsencrypt --apache
nano /etc/apache2/apache2.conf
<VirtualHost *:443> SSLEngine on SSLCertificateKeyFile /etc/letsencrypt/live/dl.mhdr.ir/privkey.pem SSLCertificateFile /etc/letsencrypt/live/dl.mhdr.ir/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/dl.mhdr.ir/chain.pem DocumentRoot "/var/www/html/dl" ServerName dl.mhdr.ir </VirtualHost>
service apache2 restart
PPA
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache
note : only the last VitualHost will be detected by letsencrypt
References
https://certbot.eff.org/#ubuntuxenial-apache
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
https://letsencrypt.org/