2. Configure Web Server with HTTPS¶
If the virtual machine is running, log in and shut it down:
ssh -p 8015 hjc@dynamicshjc.case.edu sudo shutdown -h now
Share the SSL certificate directory owned by the VirtualBox Machines (vbox) account on DynamicsHJC (
~vbox/ssl-certificates
) with the virtual machine as a shared folder. Shared folders are accessible on the virtual machine under the mount point/media
. In VirtualBox, select Machine > Settings > Shared Folders, press the “+” button, and use the following settings:- Folder Path:
/Users/vbox/ssl-certificates
- Folder Name: ssl-certificates
- Check “Read-only”
- Check “Auto-mount”
Press “OK” twice to close the Settings windows.
- Folder Path:
Start the virtual machine and log in:
ssh -p 8015 hjc@dynamicshjc.case.edu
Check for and install system updates on the virtual machine:
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get autoremove
The Apache web server operates as user www-data in group www-data. Give the web server ownership of and access to the web directory:
sudo chown -R www-data:www-data /var/www/ sudo chmod -R ug+rw /var/www/ sudo find /var/www -type d -exec chmod g+s {} \;
Download and install the
check-ssl-cert-expiration
script:sudo wget -O /usr/local/sbin/check-ssl-cert-expiration https://neurowiki-docs.readthedocs.io/en/latest/_downloads/check-ssl-cert-expiration sudo chmod +x /usr/local/sbin/check-ssl-cert-expiration
The script looks for the shared folder set up in step 2 and prints the expiration dates of any certificates found there. Check that this is working and that the certificates are current:
sudo check-ssl-cert-expiration
If you are curious about the contents of
check-ssl-cert-expiration
, you can view it here:check-ssl-cert-expiration
#!/bin/bash # Place this script in /usr/local/sbin and make it executable (chmod +x). # # This script will print out the expiration dates for all SSL certificates # located in CERTDIR or its subdirectories. # Function for aborting with an error message die () { echo >&2 "$@" exit 1 } # Require that the user is root. [ "$UID" -eq 0 ] || die "Aborted: superuser privileges needed (rerun with sudo)" # The certificate files are expected to be found in CERTDIR with a specific # naming scheme. CERTDIR="/media/sf_ssl-certificates" # Find and report expiration dates for certificates. find $CERTDIR -name "*_cert.cer" -print -exec bash -c "openssl x509 -noout -enddate -in {} | sed -e 's/\(.*\)=\(.*\)/ \2/'" \; exit 0
Disable some default Apache configuration files, and download and install a custom Apache configuration file for handling SSL certificates:
sudo a2dissite 000-default default-ssl sudo wget -O /etc/apache2/sites-available/smart-ssl.conf https://neurowiki-docs.readthedocs.io/en/latest/_downloads/smart-ssl.conf sudo a2enmod rewrite ssl sudo a2ensite smart-ssl sudo apache2ctl restart
The determination of which SSL certificate to use is done automatically by looking at the URL used to access the site. If port forwarding is enabled and the virtual machine is accessed using https://dynamicshjc.case.edu:8014, the certificate for DynamicsHJC will be selected automatically. If bridged networking is enabled and the virtual machine is accessed using https://neurowiki.case.edu, the certificate for NeuroWiki will be selected automatically. Later, when the virtual machine is cloned and converted to NeuroWikiDev, its certificate will be selected automatically.
If you are curious about the contents of
smart-ssl.conf
, you can view it here:smart-ssl.conf
# # # GLOBAL SETTINGS # # # Globally specify ServerName to satisfy requirement, will be replaced by # matching virtual host's ServerName ServerName localhost # Except where aliases are used, all URLs are relative to DocumentRoot, e.g., # https://example.com/dir1/page.html points to /var/www/html/dir1/page.html DocumentRoot /var/www/html # Deny access to everything on the server unless overridden by other Directory # directives, and allow access to the DocumentRoot <Directory ~ "/"> Options -Indexes Require all denied </Directory> <Directory ~ "/var/www/html"> Require all granted </Directory> # Disallow access to .git directories and .gitignore files RedirectMatch 404 /\.git # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # # # VIRTUAL HOSTS # # ServerName specifies what hostname must appear in the request's Host: header # to match a virtual host # # # Matches any http://* and redirects to https://* <VirtualHost *:80> RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] </VirtualHost> <IfModule mod_ssl.c> # Matches only https://dynamicshjc.case.edu <VirtualHost *:443> ServerName dynamicshjc.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu_interm.cer </VirtualHost> # Matches only https://neurowiki.case.edu <VirtualHost *:443> ServerName neurowiki.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu_interm.cer </VirtualHost> # Matches only https://neurowikidev.case.edu <VirtualHost *:443> ServerName neurowikidev.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu_interm.cer </VirtualHost> # Matches only https://biol300.case.edu <VirtualHost *:443> ServerName biol300.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/biol300/biol300_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/biol300/biol300_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/biol300/biol300_case_edu_interm.cer </VirtualHost> # Matches only https://biol300dev.case.edu <VirtualHost *:443> ServerName biol300dev.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu_interm.cer </VirtualHost> # Matches only https://slugwiki.case.edu <VirtualHost *:443> ServerName slugwiki.case.edu SSLEngine on SSLCertificateFile /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu_cert.cer SSLCertificateKeyFile /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu.key SSLCertificateChainFile /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu_interm.cer </VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The web server should now be active. Open a web browser and navigate to
You should see a default page provided by Apache.
Delete that default page:
rm /var/www/html/index.html
Discourage bots, such as Google’s web crawler, from visiting some parts of the site. Download and install
robots.txt
:wget -O /var/www/html/robots.txt https://neurowiki-docs.readthedocs.io/en/latest/_downloads/robots.txt
If you are curious about the contents of
robots.txt
, you can view it here:robots.txt
User-agent: * Allow: /w/load.php? Disallow: /w/ Disallow: /django Disallow: /JSNeuroSim
Shut down the virtual machine:
sudo shutdown -h now
Using VirtualBox, take a snapshot of the current state of the virtual machine. Name it “Web server configured with HTTPS”.