Posts Tagged apache

How to create an SSL certificate for Apache

Posted by on Tuesday, 7 April, 2009

Ok heres a script which takes you through the annoying part

#!/bin/sh
SERVER=zeald.com
PRIVATE_KEY=$SERVER.private.key
CERTIFICATE_FILE=$SERVER.crt
SIGNING_REQUEST=$SERVER.signing.request
VALID_DAYS=365
echo Delete old private key
rm $PRIVATE_KEY
echo Create new private/public-keys without passphrase for server
openssl genrsa -out $PRIVATE_KEY 1024
echo Create file for signing request
rm $SIGNING_REQUEST
openssl req -new -days $VALID_DAYS -key $PRIVATE_KEY -out $SIGNING_REQUEST
echo Filename for signing request is: $SIGNING_REQUEST
echo Send the content of the file to the certification authority.
echo For example: Christian Heutger [c.heutger@psw.biz]
echo from http://www.ssl-certs.de
cat $SIGNING_REQUEST
echo You can check this request at
echo https://secure.comodo.net/utilities/decodeCSR.html

now chmod +x create_signing_request.sh

then ./create_signing_request.sh
it will go through asking you information about your company etc. You may need to do this several times to figure out what goes where. Then go to your SSL certificate provider, and use the CSR to request the ssl certificate. It may take an hour or two or even up too a couple days to get your SSL certificate.
Once you have it you need to add into your apache config a couple of lines similar to this

SSLCertificateFile /etc/apache/ssl.crt/yourdomain.crt
SSLCertificateKeyFile /etc/apache/ssl.key/yourdomain.key

Last-Modified: 2008-06-10 13:57:40


PHP and Apache, some safer defaults

Posted by on Tuesday, 7 April, 2009

Okay, so every monkey and his dog can do PHP these days, hey that what it was written for.

So if i was looking to perhaps hack a server, one of the first things i would look for is the version of php running on the server. This can be found out very easily if you enable the version to be added to the server string. You can hide this with the config option
expose_php = Off

Here are a few quick, handy php config defaults
; Who needs to download off remote sites seriously?

allow_url_fopen = Off
;this can help stop a few sql injection methods

magic_quotes_gpc = On
; By not allowing these few functions we can stop a fair bit of nasty stuff going on, not just from end users but by the users writing the code. You may wish to add mail() into this also

disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
safe_mode = On
; By default, Safe Mode does a UID compare check when

; opening files. If you want to relax this to a GID compare,

; then turn on safe_mode_gid. This stops users messing with others stuff

safe_mode_gid = Off
; This is handy if you want to be able to execute SOME binaries but not others from PHP

safe_mode_exec_dir = /some/safe/binary/folder
Okay, that covers most of the basics, now for apache PHP end.
For each website that has a VirtualHost you should add in lines similar to this
php_admin_value open_basedir /var/www/debian.co.nz:/var/www/debian.co.nz/tmp

php_admin_value doc_root /var/www/debian.co.nz:/var/www/debian.co.nz/tmp
What this does is limits users from opening anything outside of their own directories (you really dont want them being able to open stuff in /etc etc)

Last-Modified: 2007-04-05 22:00:08