ssl – Pupli

Apache reverse proxy configuration for socket.io

July 13, 2019July 13, 2019 - by mhdr - Leave a Comment

sudo a2enmod proxy_http
sudo a2enmod proxy_fcgi
sudo a2enmod proxy_wstunnel

# VirtualHost ms.example.net
<VirtualHost *:80>
  ServerName ms.example.net
  ProxyRequests Off
  ProxyPreserveHost On
  RemoteIPHeader X-Forwarded-For
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/socket.io          [NC]
  RewriteCond %{QUERY_STRING} transport=websocket [NC]
  RewriteRule /(.*) ws://localhost:14102/$1        [P,L]

  ProxyPass /socket.io http://localhost:14102/socket.io
  ProxyPassReverse /socket.io http://localhost:14102/socket.io
</VirtualHost>

<VirtualHost *:443>
  ServerName ms.example.net
  ProxyRequests Off
  ProxyPreserveHost On
  RemoteIPHeader X-Forwarded-For
  RewriteEngine on
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>
  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
  
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/socket.io          [NC]
  RewriteCond %{QUERY_STRING} transport=websocket [NC]
  RewriteRule /(.*) ws://localhost:14102/$1        [P,L]
  ProxyPass /socket.io http://localhost:14102/socket.io
  ProxyPassReverse /socket.io http://localhost:14102/socket.io
  
</VirtualHost>

Use a secure URL for your initial connection, i.e. instead of “http://” use “https://”. If the WebSocket transport is chosen, then Socket.IO should automatically use “wss://” (SSL) for the WebSocket connection too.

var socket = io.connect('https://localhost', {secure: true});

References
http://xpo6.com/socket-io-via-apache-reverse-proxy/
https://stackoverflow.com/questions/36472920/apache-proxy-configuration-for-socket-io-project-not-in-root
https://gist.github.com/iacchus/954e0787d6893c5ab8e1
https://stackoverflow.com/questions/6599470/node-js-socket-io-with-ssl

Obtaining Let’s Encrypt Certificate valid for sub domains

July 12, 2019 - by mhdr - Leave a Comment

sudo certbot --apache -d example.com -d www.example.com

References
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

Secure Apache with Let’s Encrypt on Ubuntu 18.04

July 9, 2019July 9, 2019 - by mhdr - Leave a Comment

Installing Certbot

sudo add-apt-repository ppa:certbot/certbot

sudo apt install python-certbot-apache

Set Up the SSL Certificate

Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

Obtaining an SSL Certificate

sudo certbot --apache -d example.com -d www.example.com

This runs certbot with the --apache plugin, using -d to specify the names you’d like the certificate to be valid for.

Verifying Certbot Auto-Renewal

sudo certbot renew --dry-run

References
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

NodeJS HTTPS server using http_server

July 6, 2019July 6, 2019 - by mhdr - Leave a Comment

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

http-server -S -C cert.pem -o

Use 127.0.0.1 as value for “Common name”

References
https://stackoverflow.com/questions/35127383/npm-http-server-with-ssl

How to Install and Secure the Mosquitto MQTT Messaging Broker on Ubuntu 16.04

November 11, 2017 - by mhdr - Leave a Comment

Installing Mosquitto

sudo add-apt-repository ppa:mosquitto-dev/mosquitto-ppa
sudo apt-get update
sudo apt-get install mosquitto mosquitto-clients

Installing Certbot for Let’s Encrypt Certificates

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Running Certbot

sudo ufw allow 80
sudo ufw allow 443

sudo certbot certonly --standalone

Enter your domain : mqtt.example.com

Setting up Certbot Automatic Renewals

sudo crontab -e

. . .
15 3 * * * certbot renew --noninteractive --post-hook "systemctl restart mosquitto"

Configuring MQTT Passwords

sudo mosquitto_passwd -c /etc/mosquitto/passwd sammy

sudo nano /etc/mosquitto/conf.d/default.conf

allow_anonymous false
password_file /etc/mosquitto/passwd

sudo systemctl restart mosquitto

Configuring MQTT SSL

sudo nano /etc/mosquitto/conf.d/default.conf

. . .
listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

sudo systemctl restart mosquitto

sudo ufw allow 8883

References
https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04

Redirect Request to SSL on Apache

September 30, 2017July 6, 2019 - by mhdr - Leave a Comment

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   Redirect /secure https://mysite.example.com/secure
</VirtualHost>

<VirtualHost _default_:443>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

When redirecting everything you don’t even need a DocumentRoot:

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect / https://secure.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

Note: Once the configuration is working as intended, a permanent redirection can be considered. This avoids caching issues by most browsers while testing. The directive would then become:

Redirect permanent / https://secure.example.com/

—————

<Directory /topsecret>
  SSLRequireSSL
</Directory>

References
https://wiki.apache.org/httpd/RedirectSSL
https://serverfault.com/questions/429634/restrict-apache-to-only-allow-access-using-ssl-for-some-directories
https://www.tecmint.com/redirect-http-to-https-on-apache/

Configure Let’s Encrypt for Apache on Ubuntu

February 8, 2017October 17, 2017 - by mhdr - Leave a Comment

sudo apt-get install python-letsencrypt-apache

letsencrypt --apache

nano /etc/apache2/apache2.conf

<VirtualHost *:443>
	SSLEngine on
	SSLCertificateKeyFile /etc/letsencrypt/live/dl.mhdr.ir/privkey.pem
	SSLCertificateFile /etc/letsencrypt/live/dl.mhdr.ir/cert.pem
	SSLCertificateChainFile /etc/letsencrypt/live/dl.mhdr.ir/chain.pem
    DocumentRoot "/var/www/html/dl"
    ServerName dl.mhdr.ir
</VirtualHost>

service apache2 restart

PPA

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

note : only the last VitualHost will be detected by letsencrypt
References
https://certbot.eff.org/#ubuntuxenial-apache
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
https://letsencrypt.org/