Recently, I helped one of my clients who was using an Amazon Lightsail WordPress instance provided by Bitnami. Bitnami is advantageous in that it provides a fully working stack, so you don’t have to worry about configuring LAMP or environments. You can find more information about the Bitnami Lightsail stack here.
However, the client’s stack was using the latest PHP 8.x version, while the WordPress site he runs uses several plugins that need PHP 7.4. I advised the client to consider upgrading the website to support the latest PHP versions. However, since that would require a lot of work, and he wanted the site to be up and running, he decided to downgrade PHP.
The issue with downgrading or upgrading PHP on a Bitnami stack is that it’s not possible. Bitnami recommends launching a new server instance with the required PHP, MySQL, or Apache version and migrating the data over. So, I decided to do it manually.
Here are the server details:
Debian 11 Current installed PHP: 8.1.x
Upgrading or downgrading PHP versions on a Bitnami stack is essentially the same as on a normal Linux server. In short, you need to:
Ensure the PHP packages for the version you want are installed. Update any configuration for that PHP version. Update your web server configuration to point to the correct PHP version. Point PHP CLI to the correct PHP version. Restart your web server and php-fpm.
What we did was install the PHP version provided by the OS. Then, we updated php.ini to use the non-default MySQL socket location used by the Bitnami server. We created a php-fpm pool that runs as the “daemon” user. After that, we updated the Apache configuration to use the new PHP version.
1. Make sure packages for your target version of PHP are installed To make sure that the correct packages are available on your system for the PHP version you want, first make sure your system is up to date by running these commands:
sudo apt update sudo apt upgrade If it prompts you to do anything with config files, usually, you should just go with the default option and leave the current config as-is. Then, install the packages you need. For example, you can use the following command to install common PHP packages and modules: sudo apt install -y php7.4-cli php7.4-dev php7.4-pgsql php7.4-sqlite3 php7.4-gd php7.4-curl php7.4-memcached php7.4-imap php7.4-mysql php7.4-mbstring php7.4-xml php7.4-imagick php7.4-zip php7.4-bcmath php7.4-soap php7.4-intl php7.4-readline php7.4-common php7.4-pspell php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-fpm
2. Make sure PHP configuration for your target version is updated Find the mysql socket path used by your Bitnami stack by running this command:
[Pdo_mysql] ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. pdo_mysql.default_socket=
Replace with
[Pdo_mysql] ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. pdo_mysql.default_socket= “/opt/bitnami/mariadb/tmp/mysql.sock”
Feel free to adjust the PHP FPM settings to match your server specifications or needs. Check out this informative article for more tips on optimizing PHP FPM performance. Just keep in mind that Bitnami configures their stack with the listen.owner and listen.group settings set to daemon.
This pool will listen on unix socket “/opt/bitnami/php/var/run/www2.sock”.
Test the installed version by running below command ~# php -v PHP 7.4.33 (cli) (built: Feb 22 2023 20:07:47) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.33, Copyright (c), by Zend Technologies
Introduction Redmine is a powerful and versatile project management tool that can help teams stay organized, collaborate effectively, and track progress towards their goals. Originally developed for the Ruby on Rails community, Redmine is now used by thousands of organizations worldwide, from small startups to large enterprises.
With Redmine, you can create projects and sub-projects, define tasks and issues, assign them to team members, set due dates and priorities, and track time spent on each task. You can also add comments and attachments to issues, create custom fields and workflows, and generate reports and graphs to visualize project status and progress.
It is open-source software written in Ruby on Rails and is available under the GNU General Public License.
Whether you’re a software development team, a marketing agency, a non-profit organization, or any other type of group that needs to manage projects and tasks, Redmine can be a valuable tool to help you stay on track, collaborate effectively, and achieve your goals. In this blog, we’ll explore some of the key features and use cases of Redmine, and provide tips and best practices for getting the most out of this powerful project management tool.
In this tutorial, we will go through the steps of installing Redmine on an Ubuntu 22.04 server and secure it Let’s Encrypt SSL.
Prerequisites:
Ubuntu 22.04 Server Root or sudo user access A domain name pointed to the server is required for accessing Redmine via a web browser.
Step 1: Update Ubuntu System The first step is to update the Ubuntu system to ensure that all the packages are up-to-date. You can do this by running the following command: sudo apt update Step 2: Install Dependencies Redmine requires several dependencies to be installed before it can be installed. To install them, run the following command:
Also, install Apache and Apache mod Passenger module sudo apt install -y apache2 libapache2-mod-passenger
Note: libapache2-mod-passenger is a module for the Apache web server that enables the deployment of Ruby on Rails web applications. It provides an easy way to configure and manage Ruby on Rails applications within an Apache web server environment.
Step 3: Create a Redmine User Create a dedicated Linux user for running Redmine: useradd -r -m -d /opt/redmine -s /usr/bin/bash redmine
Add the user to the www-data group to enable Apache to access Redmine files: usermod -aG redmine www-data
Step 4: Install and Secure MariaDB MariaDB is a popular open-source database management system and is used as the backend for Redmine. To install and secure MariaDB, run the following commands: sudo apt install -y mariadb-server
Since the configuration file is an yaml, you need to use proper Indentation.
Save and close the file.
Step 7: Install Bundler and Redmine Dependencies Install Bundler for managing gem dependencies and run the following commands:
sudo gem install bundler
Login as redmine user and execute below commands:
su - redmine
bundle config set --local without 'development test'
bundle install
bundle update
exit
Step 8: Configure File System Permissions Ensure that the following directories are available in the Redmine directory (/opt/redmine):
tmp and tmp/pdf public and public/plugin_assets log files
Create them if they don’t exist and ensure that they are owned by the user used to run Redmine:
for i in tmp tmp/pdf public/plugin_assets; do [ -d $i ] || mkdir -p $i; done
chown -R redmine:redmine files log tmp public/plugin_assets
chmod -R 755 /opt/redmine
Step 9: Configure Apache Create a new Apache virtual host file for Redmine: sudo nano /etc/apache2/sites-available/redmine.conf
Paste the following configuration into the file:
<VirtualHost *:80>
ServerName redmine.linuxwebhostingsupport.in
DocumentRoot /opt/redmine/public
ErrorLog ${APACHE_LOG_DIR}/redmine-error.log
CustomLog ${APACHE_LOG_DIR}/redmine-access.log combined
<Directory /opt/redmine/public>
Require all granted
Options -MultiViews
PassengerEnabled on
PassengerAppEnv production
PassengerRuby /usr/bin/ruby
</Directory>
</VirtualHost>
Save the file and exit the text editor. Replace redmine.linuxwebhostingsupport.in with your domain name.
Enable the Redmine site by running the following command:
sudo a2ensite redmine.conf
Restart Apache to apply the changes:
sudo systemctl restart apache2
Allow Apache through the Ubuntu UFW firewall:
sudo ufw allow 'Apache Full'
Install Certbot and the Apache plugin for Let’s Encrypt:
sudo apt install certbot python3-certbot-apache
Adding Lets Encrypt SSL certificate
You need to make sure your domain is properly pointed to the server IP, otherwise, Let’s encrypt will fail.
Obtain an SSL certificate for your domain by running the following command:
sudo certbot --apache
Follow the on-screen instructions to complete the process.
Restart Apache to apply the SSL configuration:
sudo systemctl restart apache2
Open your web browser and go to https://redmine.linuxwebhostingsupport.in/. You should see the Redmine home screen.
Login to the admin area using your Redmine admin username and password. If this is your first login, you will need to reset your admin password.
https://redmine.linuxwebhostingsupport.in/login
Congratulations! You have successfully installed and configured Redmine on your Ubuntu server. In the previous steps, we have covered the installation and configuration of Redmine, including setting up the database, configuring Apache, and securing Redmine with Let’s Encrypt SSL.
However, one critical aspect of Redmine that you might want to configure is email delivery for notifications. This feature is essential for keeping team members informed about project updates, new issues, and changes to existing issues. In this section, we will show you how to configure email delivery in Redmine.
Configuring SMTP for Email Delivery in Redmine
Redmine supports email delivery for notifications, which you can set up using the following steps:
Step 1 – Open Configuration File
First, you need to open the configuration.yml file in a text editor:
sudo nano /opt/redmine/config/configuration.yml
Step 2 – Configure Email Settings
Next, scroll down to the production section of the file, uncomment the following lines by removing the # symbol at the beginning of each line, and replace the values with your SMTP server’s settings:
# specific configuration options for production environment# that overrides the default ones
production:
email_delivery:
delivery_method: :smtp
smtp_settings:
address: "your.smtp.server.com"
port: 587
domain: "your.domain.com"
authentication: :login
user_name: "your_email@example.com"
password: "your_email_password"
enable_starttls_auto: true
# specific configuration options for development environment# that overrides the default ones
Replace the values for address, port, domain, user_name, and password with your SMTP server’s settings:
address: The address of your SMTP server. port: The port number to use for SMTP server (usually 587). domain: The domain name of your organization or server. user_name: The email address of the user account to use for sending emails. password: The password for the user account to use for sending emails. Save the configuration.yml file.
Since the configuration file is an yaml, you need to use proper Indentation.
Step 3 – Restart Apache
Finally, restart Apache to apply the changes:
sudo systemctl restart apache2 And that’s it! Redmine is now configured to deliver email notifications to your team members.
Conclusion
Redmine is a powerful project management tool that can help you manage your software development projects effectively. In this blog post, we have covered the installation and configuration of Redmine on Ubuntu, including setting up the database, configuring Apache, securing Redmine with Let’s Encrypt SSL, and configuring email delivery.
With these steps, you should now have a working Redmine installation that can help you track your projects, collaborate with your team, and stay on top of your development process. Good luck!
LAMP stack is a popular combination of open-source software that is used to run dynamic websites and web applications. The acronym LAMP stands for Linux (operating system), Apache (web server), MySQL (database management system), and PHP (scripting language).
Linux provides the foundation for the LAMP stack, serving as the operating system on which the other software components are installed. Apache is the web server that handles HTTP requests and serves web pages to users. MySQL is a powerful database management system that is used to store and manage website data. PHP is a popular scripting language used to create dynamic web content, such as interactive forms and web applications.
Together, these software components create a powerful platform for building and deploying web applications. The LAMP stack is highly customizable and widely used, making it an excellent choice for developers and system administrators alike.
Prerequisites
1. Ubuntu server: You will need an Ubuntu server to install the LAMP stack. You can use a Virtual/CLoud server or a physical server as per your requirement.
2. SSH access: You will need SSH access to your Ubuntu server to be able to install the LAMP stack. SSH (Secure Shell) is a secure network protocol that allows you to access and manage your server remotely.
3. Non-root user with sudo privileges: It is recommended that you use a non-root user with sudo privileges to install and configure the LAMP stack. This is because running as root can pose a security risk and may lead to unintended consequences if something goes wrong. You can also run the commands as root user.
4. Basic familiarity with Linux command line: A basic understanding of how to use the Linux command line interface (CLI) to run commands and navigate your Ubuntu server is recommended, not mandatory.
Installing a LAMP Stack on Ubuntu In this section, the process of installing a LAMP Stack on Ubuntu 22.04 LTS is outlined. These instructions can be applied to Ubuntu 20.04 LTS as well.
A LAMP stack is a popular combination of open-source software used to run dynamic websites or web applications. LAMP stands for Linux (operating system), Apache (web server), MySQL (database management system), and PHP (scripting language). In this guide, we will walk you through the steps involved in installing and configuring a LAMP stack on an Ubuntu server.
Step 1: Update Your Ubuntu Server Before we begin installing LAMP stack components, let’s update the server’s software packages by running the following command:
sudo apt update && sudo apt upgrade
Step 2: Install Apache Apache is the most widely used web server software. To install it, run the following command:
sudo apt install apache2
Once the installation is complete, you can check the status of Apache by running the following command:
sudo systemctl status apache2 This will display Apache’s status as either active or inactive.
Step 3: Install MySQL MySQL is a popular open-source database management system. To install it, run the following command:
sudo apt install mysql-server Once the installation is complete, you can check the status of MySQL by running the following command:
sudo systemctl status mysql This will display MySQL’s status as either active or inactive.
Step 4: Install PHP PHP is a popular server-side scripting language used to create dynamic web content. To install it, run the following command:
sudo apt install php libapache2-mod-php php-mysql
There are several additional PHP modules recommended for a CMS like WordPress. You can install them by running the command below: sudo apt-get install php-curl php-gd php-xml php-mbstring php-imagick php-zip php-xmlrpc After installing these modules, you will need to restart your Apache server for the changes to take effect. You can do this by running the following command:
sudo systemctl restart apache2
Setting up firewall rules to allow access to Apache web server
UFW is the default firewall with Ubuntu systems, providing a simple command-line interface to configure iptables, the software-based firewall used in most Linux distributions. UFW provides various application profiles that can be utilized to manage traffic to and from different services. To view a list of all the available UFW application profiles, you can run the command:
sudo ufw app list
Output Available applications: Apache Apache Full Apache Secure OpenSSH
These application profiles have different configurations for opening specific ports on the firewall. For instance:
Apache: Allows traffic on port 80, which is used for normal, unencrypted web traffic. Apache Full: Allows traffic on both port 80 and port 443, which is used for TLS/SSL encrypted traffic. Apache Secure: Allows traffic only on port 443 for TLS/SSL encrypted traffic.
To allow traffic on both port 80 and port 443(SSL), you can use the Apache Full profile by running the following command:
sudo ufw allow in "Apache Full"
You can verify that the change has been made by running the command: sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full(v6) ALLOW Anywhere (v6)
To test if the ports are open and Apache web server is accessible, you can try visiting your server’s public IP address in a web browser using the URL http://your_server_ip. If successful, you should see the default Apache web page.
If you can view this page, your web server is correctly installed and accessible through your firewall.
Configuring the MySQL Database server Upon installation of MySQL, it is immediately available for use. However, in order to utilize it for web applications such as WordPress and improve the security of said applications, it is imperative to generate a database user and database. To complete the configuration process for MySQL, please adhere to the following steps.
To configure MySQL and improve application security, follow these steps:
1. Log in to the MySQL shell as the root user:
sudo mysql -u root
2. Using the MySQL shell, you can create the wpdatabase database and generate a new user account for accessing the web application. Instead of using the placeholders “dbuser” and “password” in the CREATE USER query, you should provide a real username and password. Furthermore, you should grant complete permissions to the user. After each line, MySQL should respond with “Query OK.”
CREATE DATABASE wpdatabase ; CREATE USER 'dbuser' IDENTIFIED BY 'password'; GRANT ALL ON wpdatabase .* TO 'dbuser';
Exit the SQL shell: quit
3. Set a password for root’@’localhost:
sudo mysql ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password by 'password';
Exit the SQL shell: quit
Note: Replace “password” with a strong password. 4. Use the mysql_secure_installation tool to increase database security:
sudo mysql_secure_installation
When prompted to change the root password, leave it unchanged. Answer Y for the following questions:
Remove anonymous users? Disallow root login remotely? Remove test database and access to it? Reload privilege tables now?
To log in to the MySQL shell as root after this change, use “sudo mysql -u root” and type “quit” exit the SQL Shell.
It’s worth noting that when connecting as the root user, there’s no need to enter a password, despite having defined one during the mysql_secure_installation script. This is due to the default authentication method for the administrative MySQL user being unix_socket rather than password. Although it may appear to be a security issue, it actually strengthens the security of the database server by only allowing system users with sudo privileges to log in as the root MySQL user from the console or through an application with the same privileges. As a result, you won’t be able to use the administrative database root user to connect from your PHP application. However, setting a password for the root MySQL account acts as a precautionary measure in case the default authentication method is changed from unix_socket to password.
Creating a Virtual Host for your Website
In order to host multiple domains from a single server, Apache web server provides the capability to create virtual hosts. These virtual hosts are beneficial as they allow you to encapsulate configuration details for each domain. In this tutorial, we will walk you through setting up a domain named “example.com”. However, it is important to keep in mind that you should replace “example.com” with your own domain name.
By default, Ubuntu 22.04’s Apache web server has a single virtual host that is enabled and configured to serve documents from the /var/www/html directory. While this is a workable solution for a single site, it becomes cumbersome when hosting multiple sites. Therefore, instead of modifying /var/www/html, we will create a directory structure within the /var/www directory specifically for the example.com site. In doing so, we will leave /var/www/html in place as the default directory to be served if a client request does not match any other sites.
1. First, create a new directory for the “example.com” website files:
sudo mkdir /var/www/example.com
2. Assign the ownership of the directory to the web server user (www-data):
10. Finally, configure your DNS records to point the “example.com” domain to your server’s IP address. Once the DNS records are updated, you can access the website by visiting “http://example.com” in your web browser.
Testing the LAMP Stack Installation on Your Ubuntu Server To ensure that the LAMP stack configuration is fully functional, it’s necessary to conduct tests on Apache, PHP, and MySQL components. Verifying the Apache operational status and virtual host configuration was done earlier. Now, it’s important to test the interaction between the web server and PHP and MySQL components.
The easiest way to verify the configuration of the Ubuntu LAMP stack is by using a short test script. The PHP code does not need to be lengthy or complex; however, it must establish a connection to MySQL. The test script should be placed within the DirectoryRoot directory.
To validate the database, use PHP to invoke the mysqli_connect function. Use the username and password created in the “Configuring the MySQL Database server” section. If the attempt is successful, the mysqli_connect function returns a Connection object. The script should indicate whether the connection succeeded or failed and provide more information about any errors.
To verify the installation, follow these steps:
1. Create a new file called “phptest.php” in the /var/www/example.com directory.
<html><head><title>PHP MySQL Test</title></head><body><?php echo '<p>Welcome to the Site!</p>'; // When running this script on a local database, the servername must be 'localhost'. Use the name and password of the web user account created earlier. Do not use the root password. $servername = "localhost"; $username = "dbuser"; $password = "password"; // Create MySQL connection $conn = mysqli_connect($servername, $username, $password); // If the conn variable is empty, the connection has failed. The output for the failure case includes the error message if (!$conn) { die('<p>Connection failed: </p>' . mysqli_connect_error()); } echo '<p>Connected successfully</p>'; ?></body></html>
2. To test the script, open a web browser and type the domain name followed by “/phptest.php” in the address bar. For example, if your domain name is “example.com”, you would enter “example.com/phptest.php” in the address bar. Make sure to substitute the actual name of the domain for “example.com” in the example provided.
http://example.com/phptest.php
3. Upon successful execution of the script, the web page should display without any errors. The page should contain the text “Welcome to the Site!” and “Connected successfully.” However, if you encounter the “Connection Failed” error message, review the SQL error information to troubleshoot the issue.
Bonus: Install phpMyAdmin phpMyAdmin is a web-based application used to manage MySQL databases. To install it, run the following command:
sudo apt install phpmyadmin During the installation process, you will be prompted to choose the web server that should be automatically configured to run phpMyAdmin. Select Apache and press Enter.
You will also be prompted to enter a password for phpMyAdmin’s administrative account. Enter a secure password and press Enter.
Once the installation is complete, you can access phpMyAdmin by navigating to http://your_server_IP_address/phpmyadmin in your web browser.
Congratulations! You have successfully installed and configured a LAMP stack on your Ubuntu server.
Summary This guide walks through the process of setting up a LAMP Stack, a combination of the Linux operating system, Apache web server, MySQL RDBMS, and PHP programming language, to serve PHP websites and applications. The individual components are free and open source, designed to work together, and easy to install and use. Following the steps provided, you can install the LAMP Stack on Ubuntu 22.04 LTS using apt, configure the Apache web server, create a virtual host for the domain, and integrate the MySQL web server by creating a new account to represent the web user. Additional PHP packages are required for Apache, PHP, and the database to communicate. A short PHP test script can be used to test the new installation by connecting to the database.
phpMyAdmin is installed with CentOS Web Panel. By default, it is not protected and there is only MySQL user authentication. This can put your server vulnerable. So it is recommended to add additional layer protection.
phpMyAdmin is available through the following url in a CWP based server.
http:/hostname/phpmyadmin http:/hostname:2030/pma
CWP panel runs its core services through its own version of Nginx. So normal htaccess based password protection will not work.
Create the Password File
You can do this by using the OpenSSL utilities that may already be available on your server. Alternatively, you can use the purpose-made htpasswd utility included in the apache2-utils package(Debian/ubuntu) or httpd-tools(Redhat/Centos).
Using OpenSSL Utilities
We will create a hidden file called .pma_pass /usr/local/cwpsrv/var/services/ folder. You can use any username. I am using dbadmin here as an example
sudo sh -c "echo -n 'dbadmin:' >> /usr/local/cwpsrv/var/services/.pma_pass"
Next, add an encrypted password entry for the username by typing:
sudo sh -c "openssl passwd -apr1 >> /usr/local/cwpsrv/var/services/.pma_pass"
Using Apache Utilities
This tool is already installed and available on all CWP servers.
We will need to configure Nginx to read this file before serving our protected content. CWP Service Nginx configuration file: /usr/local/cwpsrv/conf/cwp_services.conf
Open the above file add the following to the location block of phpMyAdmin.
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt
How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3
Latest versions of cPanel come with EasyApache 4 which provides lots of new features like native support for multiple PHP versions, PHP 7 support, very fast, etc. So it is recommended to migrate to EasyApache 4. However, if you cannot migrate EasyApache 4 because of some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source.
To migrate to EasyApache for, just run the below command. cPanel will try to build a matching PHP setup using EasyApache 4.
/scripts/migrate_ea3_to_ea4 --run
If anything goes wrong during the upgrade process you can always go back with /scripts/migrate_ea3_to_ea4 –revert –run
Manually install PHP 7
Following steps are tested with cPanel 11.64.0.36 and CentOS 6.9 64 bit. The PHP handler should be suphp to get this working.
cd /usr/local/src/
wget http://php.net/distributions/php-7.0.22.tar.gz #Go to php.net site to find the latest version
tar xvf php-7.0.22.tar.gz
You may add any additional parameters required. You can run ./configure --help to see all available options first. Important: Do not forget to set the "--prefix=/usr/local/php70". Otherwise, your existing PHP installation will be lost.
make
make install
If everything is successful, the PHP binaries will be installed in "/usr/local/php70/bin/" directory.
Edit the /opt/suphp/etc/suphp.conf and add below code, at the end of the handlers list to enable PHP7 handler.
;Handler for php-scripts #... existing handlers are here ... put yours below them application/x-httpd-php7="php:/usr/local/php70/bin/php-cgi"
Now add our custom php config file to EasyApache list so that the changes will not be lost future EasyApache builds.
There are two options here. You can either go into WHM and edit the post_virtualhost_global.conf file from there or you just run: vi /usr/local/apache/conf/includes/post_virtualhost_global.conf. Add the line below in that file and you should be all done.
Include /usr/local/apache/conf/php70.conf
Now restart Apache
service httpd restart
Configure a website To Use This new PHP 7 Add following code to .htaccess file(/home/username/public_html/.htaccess) AddType application/x-httpd-php7 .php7 .php
Nagios provides complete URL monitoring of HTTP and HTTPS servers and protocols as well as full URL transaction monitoring.
Benefits
Implementing effective URL monitoring with Nagios offers the following benefits: * Increased server, services, and application availability * Fast detection of network outages and protocol failures * Monitor user experience when accessing URLs * Web server performance monitoring * Web transaction monitoring * URL monitoring
URL monitoring
By using the ‘check_http’ nagios command, we can monitor a specific url rather than checking the Apache service is up or not. This method is helpful to identify if the website is hacked and url is injected with malicious codes or there is some Apache or php errors and page is throwing an error instead. The normal Apache service check will return successful results in the above case. We can check for a specific keyword string on the webpage. If that string not present, an error will be returned.
Here is an real example
define service{
use urlmonitoring-service
host_name server.linuxwebhostingsupport.in
service_description url_check
check_command check_http!-H linuxwebhostingsupport.in -t 30 -R "Cpanel and WHM" -f follow
}
The above will check for the keyword “Cpanel and WHM” on the page “linuxwebhostingsupport.in”. If the keyword is missing or the page is not responding nagios will retun and error.
URL monitoring +SSL
You can refer to below example if the web page has SSL/TLS enabled.
Unified Communications (UC) Certificates (also called SAN Certificates) use Subject Alternative Names o secure multiple sites (e.g. fully qualified domain names) with one certificate. Four SANs are included in the base price of the UC Certificate, but you can purchase additional names at any time during the lifetime of the certificate.
The CSR generation process is little different for creating an UCC certificates. We will have to create a Openssl based configuration file and then create private key and CSR from it.
Step 1: Create a custom OpenSSL Conf file.
The following is an example conf file that can be used for creation of a SAN/UCC cert. Save it as multissl.conf
———– [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Iowa localityName = Locality Name (eg, city) localityName_default = Iowa City organizationName = Organization Name (eg, company) organizationName_default = The University of Iowa organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Domain Control Validated commonName = Common Name (eg, YOUR SSL domain name) commonName_max = 64
The alt_names section (DNS.1, DNS.2, ….) are the list of all other domain names you wish to secure with this cert. Additional can be added such as DNS.4, etc. The following examples assume that you name the above config file file multissl.conf (if it is named differently you must adjust the filename in the below examples accordingly. Step 2: Generate the Private key and CSR with OpenSSL
* Replace “serverfqdn” with the fully qualified domain name of the server (ie: sample.server.uiowa.edu). Note: it may also be helpful to add a year to the filename.
You will then see output and be prompted for configuration as seen in the following example. Enter your details accordingly.
—————————————— $ openssl req -nodes -newkey rsa:2048 -keyout serverfqdn.key -out multidomain.csr -config multissl.conf Generating a 2048 bit RSA private key ………………………………….+++ …………………………………………………………+++ writing new private key to ‘serverfqdn.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [US]:US State or Province Name (full name) [Iowa]:Iowa Locality Name (eg, city) [Iowa City]:Iowa City Organization Name (eg, company) [The University of Iowa]:My Company name Organizational Unit Name (eg, section) [Domain Control Validated]:IT SUPPORT Common Name (eg, YOUR SSL domain name) []:www.linuxwebhostingsupport.in ——————————————
Note: Replace www.linuxwebhostingsupport.in with the “primary” domain name you want secured with this certificate (likely, but not necessarily the hostname of the machine).
At this point you should have the new key file, and CSR. Save the key file in a secure place, it will be needed to apply the new certificate. The CSR can now be submitted to request the SSL Cert.
Let’s start with your digital certificate, which is at the core of HTTPS. The certificate enables clients to verify the identity of servers, through a chain of trust from your server’s certificate through intermediate certificates and up to a root certificate trusted by users’ browsers. Your server certificate should be 2048 bits in length. Using 4096 bit certificate is more secure however it require more computation times and hence slow compared to 2048 bit certs.
Basic HTTPS Setup
Here are basic SSL configurations, first for Apache:
In Nginx, the ssl_certificate parameter is confusing. It expects your certificate plus any necessary intermediate certificates, concatenated together.
Make sure all of these files are at least mode 0444, except your private key, which should be 0400.
Software versions
On the server side you should update your OpenSSL to 1.0.1c+ so you can support TLS 1.2, GCM, and ECDHE as soon as possible. Fortunately that’s already the case in Ubuntu 12.04 and later.
On the client side the browser vendors are starting to catch up. As of now, Chrome 30, Internet Explorer 11 on Windows 8, Safari 7 on OS X 10.9, and Firefox 26 all support TLS 1.2.
Cipher Suite Configuration
The recommended cipher suites for Apache are follows
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
The recommended cipher suite for backwards compatibility (IE6/WinXP):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.
Prioritization logic
ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers. PFS ciphersuites are preferred, with ECDHE first, then DHE. AES 128 is preferred to AES 256. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks. In the backward compatible ciphersuite, AES is preferred to 3DES. BEAST attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In the non-backward compatible ciphersuite, 3DES is not present. RC4 is removed entirely. 3DES is used for backward compatibility
Protocol Support: SSL or no SSL
To prevent downgrade attacks and poodle attack, we will also disable old SSL protocols
For Apache:
SSLProtocol all -SSLv2 -SSLv3
For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This disables all versions of SSL, enabling only TLS 1.0 and up. All versions of Chrome and Firefox support at least TLS 1.0.
Apache: Multiple SSL websites on a single IP address
Update: This is a new update from a cPanel Tech “There is nothing to enable. As long as you are using cPanel & WHM version 11.38 on CentOS, RHEL, or CloudLinux version 6 or newer, SNI works out of the box”.
One of the frustrating limitations in supporting secure websites has been the inability to share IP addresses among SSL websites. When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. Well we can actually share IP addresses for multiple secure websites. Solving this limitation required an extension to the Transport Layer Security (TLS) protocol that includes the addition of what hostname a client is connecting to when a handshake is initiated with a web server. The name of the extension is Server Name Indication (SNI). SNI is supported in Apache v2.2.12 , and OpenSSL v0.9.8j or later.
With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate
Prerequisites to use SNI
Use OpenSSL 0.9.8f or later Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default). Apache must have been built with that OpenSSL (./configure –with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI. Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)
Setting up SNI with Apache
The configuration is pretty simple and straight forward, though I recommend making a backup of your existing httpd.conf file before proceeding.
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example2
ServerName www.linuxwebhostingsupport.in
# Other directives here
SSLEngine On
SSLCertificateFile /path/to/linuxwebhostingsupport.in.crt
SSLCertificateKeyFile /path/to/linuxwebhostingsupport.in.key
SSLCertificateChainFile /path/to/CA.crt
DocumentRoot /www/example2
ServerName www.abdulwahabmp.co.in
# Other directives here
SSLEngine On
SSLCertificateFile /path/to/abdulwahabmp.co.in.crt
SSLCertificateKeyFile /path/to/abdulwahabmp.co.in.key
SSLCertificateChainFile /path/to/CA.crt
That it!!!. Just restart APache service. Now go and check your Websites using https. That should be working.
Plesk support SNI from 10.2.x version onwards.
SNI will work on following Operating systems out of box
OpenSuSE Linux 11.3 or later. Ubuntu Linux 10.4 or later. Debian Linux 6.0 or later. RedHat Linux 6.0 or later. CentOS Linux 60.0 or later
Supported Desktop Browsers Internet Explorer 7 and later Firefox 2 and later Opera 8 with TLS 1.1 enabled Google Chrome: Supported on Windows XP on Chrome 6 and later Supported on Vista and later by default OS X 10.5.7 in Chrome Version 5.0.342.0 and later Chromium 11.0.696.28 and later Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later). Note: No versions of Internet Explorer on Windows XP support SNI
