SSH (Secure Shell) is a fundamental tool for securely connecting to remote servers. While traditional password authentication works, it can be vulnerable to brute-force attacks. SSH keys offer a more robust and convenient solution for secure access.
This blog post will guide you through the world of SSH keys, explaining their types, generation process, and how to manage them for secure remote connections and how to configure SSH key authentication.
Understanding SSH Keys: An Analogy Imagine your home has two locks:
Combination Lock (Password): Anyone can access your home if they guess the correct combination.
High-Security Lock (SSH Key): Only someone with a specific physical key (your private key) can unlock the door.
Similarly, SSH keys work in pairs:
Private Key: A securely stored key on your local machine. You never share this.
Public Key: A unique identifier you share with the server you want to access. The server verifies the public key against your private key when you attempt to connect. This verification ensures only authorized users with the matching private key can access the server.
Types of SSH Keys There are many types of SSH keys, we are discussing the two main ones:
RSA (Rivest–Shamir–Adleman): The traditional and widely supported option. It offers a good balance of security and performance. Ed25519 (Edwards-curve Digital Signature Algorithm): A newer, faster, and potentially more secure option gaining popularity.
RSA vs. Ed25519 Keys:
Security: Both are considered secure, but Ed25519 might offer slightly better theoretical resistance against certain attacks.
Performance: Ed25519 is generally faster for both key generation and signing/verification compared to RSA. This can be beneficial for slower connections or resource-constrained devices.
Key Size: RSA keys are typically 2048 or 4096 bits, while Ed25519 keys are 256 bits. Despite the smaller size, Ed25519 offers comparable security due to the underlying mathematical concepts.
Compatibility: RSA is widely supported by all SSH servers. Ed25519 is gaining popularity but might not be universally supported on older servers.
Choosing Between RSA and Ed25519:
For most users, Ed25519 is a great choice due to its speed and security. However, if compatibility with older servers is a critical concern, RSA remains a reliable option.
Generating SSH Keys with ssh-keygen Here’s how to generate your SSH key pair using the ssh-keygen command:
Open your terminal.
Run the following command, replacing with your desired name for the key pair:
-b 4096: Specifies the key size (4096 bits is recommended for strong security).
-C “<your_email@example.com”>: Adds a comment to your key (optional).
You’ll be prompted to enter a secure passphrase for your private key. Choose a strong passphrase and remember it well (it’s not mandatory, but highly recommended for added security).
The command will generate two files:
<key_name>>.pub: The public key file (you’ll add this to the server). <key_name>>: The private key file (keep this secure on your local machine).
Important Note: Never share your private key with anyone!
Adding Your Public Key to the Server’s authorized_keys File
Access the remote server you want to connect to (through a different method if you haven’t set up key-based authentication yet).
Locate the ~/.ssh/authorized_keys file on the server (the ~ represents your home directory). You might need to create the .ssh directory if it doesn’t exist.
Open the authorized_keys file with a text editor.
Paste the contents of your public key file (.pub) into the authorized_keys file on the server.
Save the authorized_keys file on the server.
Permissions:
Ensure the authorized_keys file has permissions set to 600 (read and write access only for the owner).
Connecting with SSH Keys Once you’ve added your public key to the server, you can connect using your private key:
ssh <username>@<server_address>
You’ll be prompted for your private key passphrase (if you set one) during the connection. That’s it! You’re now securely connected to the server without needing a password.
Benefits of SSH Keys:
Enhanced Security: More secure than password authentication, making brute-force attacks ineffective.
Convenience: No need to remember complex passwords for multiple servers.
Faster Logins: SSH key-based authentication is often faster than password authentication.
By implementing SSH keys, you can significantly improve the security and convenience of your remote server connections. Remember to choose strong passwords and keep your private key secure for optimal protection.
nopCommerce is an open-source e-commerce platform that allows users to create and manage their online stores. It is built on the ASP.NET Core framework and supports multiple database systems, including MySQL, Microsoft SQL Server, and PostgreSQL as it’s backend. The platform is highly customizable and offers a wide range of features, including product management, order processing, shipping, payment integration, and customer management. nopCommerce is a popular choice for businesses of all sizes because of its flexibility, scalability, and user-friendly interface. In this tutorial, we will guide you through the process of installing nopCommerce on Ubuntu Linux with Nginx reverse proxy and SSL.
Register Microsoft key and feed To register the Microsoft key and feed, launch the terminal and execute these commands:
1. Download the packages-microsoft-prod.deb file by running the command:
To determine the appropriate version of the .NET runtime to install, you should refer to the documentation provided by nopCommerce, which takes into account both the version of nopCommerce you are using and the Ubuntu OS version. Refer to the link below:
3. Verify the installed .Net Core runtimes by running the command:
dotnet --list-runtimes
4. Install the libgdiplus library:
sudo apt-get install libgdiplus
libgdiplus is an open-source implementation of the GDI+ API that provides access to graphic-related functions in nopCommerce and is required for running nopCommerce on Linux.
Install MySql Server Latest nopCommerce support latest MySQL and MariaDB versions. We will install the latest MariaDB 10.6.
1. To install mariadb-server for nopCommerce, execute the following command in the terminal:
sudo apt-get install mariadb-server
2. After installing MariaDB Server, you need to set the root password. Execute the following command in the terminal to set the root password:
sudo /usr/bin/mysql_secure_installation
This will start a prompt to guide you through the process of securing your MySQL installation and setting the root password.
3. Create a database and User. We will use these details while installing nopCommerce. Replace the names of the database and the database user accordingly.
mysql -u root -p
create database nopCommerceDB;
grant all on nopCommerceDB.* to nopCommerceuser@localhost identified by 'P@ssW0rD';
Please replace the database name, username and password accordingly.
4. Reload privilege tables and exit the database.
flush privileges;
quit;
Install nginx
1. To install Nginx, run the following command:
sudo apt-get install nginx
2. After installing Nginx, start the service by running:
sudo systemctl start nginx
3. You can verify the status of the service using the following command:
sudo systemctl status nginx
4. Nginx Reverse proxy configuration To configure Nginx as a reverse proxy for your nopCommerce application, you’ll need to modify the default Nginx configuration file located at /etc/nginx/sites-available/nopcommerce.linuxwebhostingsupport.in. Open the file in a text editor and replace its contents with the following:
You need to replace nopcommerce.linuxwebhostingsupport.in with your domain name 5. Enable the virtual host configuration file: Enable the server block by creating a symbolic link in the /etc/nginx/sites-enabled directory: sudo ln -s /etc/nginx/sites-available/nopcommerce.linuxwebhostingsupport.in /etc/nginx/sites-enabled/
6. Reload Nginx for the changes to take effect:
sudo systemctl reload Nginx
Install NopCommerce
In this example, we’ll use /var/www/nopCommerce for storing the files.
1. Create a directory:
sudo mkdir /var/www/nopCommerce
2. Navigate to the directory where you want to store the nopCommerce files, Download and unpack nopCommerce:
1. Create a file named nopCommerce.service in the /etc/systemd/system directory with the following content:
[Unit]
Description=Example nopCommerce app running on Xubuntu
[Service]
WorkingDirectory=/var/www/nopCommerce
ExecStart=/usr/bin/dotnet /var/www/nopCommerce/Nop.Web.dll
Restart=always
# Restart service after 10 seconds if the dotnet service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=nopCommerce-example
User=www-data
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
[Install]
WantedBy=multi-user.target
2. Start the nopCommerce service by running:
sudo systemctl start nopCommerce.service
3. To check the status of the nopCommerce service, use the following command:
sudo systemctl status nopCommerce.service
Also, check if the service is running on port 5000
sudo lsof -i:5000
4. After that, restart the nginx server:
sudo systemctl restart nginx
Now that the prerequisites are installed and configured, you can proceed to install and set up your nopCommerce store.
Install nopCommerce After completing the previous steps, you can access the website through the following URL: http://nopcommerce.linuxwebhostingsupport.in. Upon visiting the site for the first time, you will be automatically redirected to the installation page as shown below:
Provide the following information in the Store Information panel:
Admin user email: This is the email address of the first administrator for the website.
Admin user password: You must create a password for the administrator account.
Confirm password: Confirm the admin user password.
Country: Choose your country from the dropdown list. By selecting a country, you can configure your store with preinstalled language packs, preconfigured settings, shipping details, VAT settings, currencies, measures, and more.
Create sample data: Check this box if you want sample products to be created. It is recommended so that you can start working with your website before adding your own products. You can always delete or unpublish these items later.
In the Database Information panel, you will need to provide the following details:
Database: Select either Microsoft SQL Server, MySQL, or PostgreSQL. Since, we are installing nopCommerce on Linux and MariaDB, choose the MySQL.
Create database if it doesn’t exist: We recommend creating your database and database user ahead of time to ensure a successful installation. Simply create a database instance and add the database user to it. The installation process will create all the tables, stored procedures, and more. Uncheck this option since we can use the database and database user we created earlier.
Enter raw connection string (advanced): Select this option if you prefer to enter a Connection string instead of filling the connection fields. For now, leave this unchecked
Server name: This is the IP, URL, or server name of your database. Use “localhost”.
Database name: This is the name of the database used by nopCommerce. Use the database we created earlier.
Use integrated Windows authentication: Leave it unchecked
SQL Username: Enter your database user name we created earlier.
SQL Password: Use your database user password we used earlier.
Specify custom collation: Leave this advanced setting empty.
Click on the Install button to initiate the installation process. Once the installation is complete, the home page of your new site will be displayed. Access your site from the following URL: http://nopcommerce.linuxwebhostingsupport.in.
Note: You can reset a nopCommerce website to its default settings by deleting the appsettings.json file located in the App_Data folder.
Adding and Securing the nopCommerce We will be using Let’s Encrypt to add free and secure SSL certificate. Let’s Encrypt is a free, automated, and open certificate authority that allows you to obtain SSL/TLS certificates for your website. Certbot is a command-line tool that automates the process of obtaining and renewing these certificates, making it easier to secure your website with HTTPS.
Here are the steps to install SSL with Certbot Nginx plugins:
1.Install Certbot: First, make sure you have Certbot installed on your server. You can do this by running the following command:
2. Obtain SSL Certificate: Next, you need to obtain an SSL certificate for your domain. You can do this by running the following command: sudo certbot –nginx -d yourdomain.com
Replace yourdomain.com with your own domain name. This command will automatically configure Nginx to use SSL, obtain a Let’s Encrypt SSL certificate and set an automatic redirect from http to https.
3.Verify SSL Certificate: Once the certificate is installed, you can verify it by visiting your website using the https protocol. If the SSL certificate is valid, you should see a padlock icon in your browser’s address bar.
4. Automatic Renewal: Certbot SSL certificates are valid for 90 days. To automatically renew your SSL certificate before it expires, you can set up a cron job to run the following command:
sudo certbot renew --quiet
This will check if your SSL certificate is due for renewal and automatically renew it if necessary.
5. nopCommerce also recommend turning “UseProxy setting to true in the appsettings.json file located in the App_Data folder if we are using SSL. So change this value too.
nopCommerce is a popular open-source e-commerce platform that offers users a flexible and scalable solution for creating and managing online stores. In this tutorial, we provided a step-by-step guide for installing and configuring nopCommerce on Ubuntu Linux with Nginx reverse proxy and SSL. We covered the installation of Microsoft key and feed, .NET Core Runtime, MySQL server, and Nginx reverse proxy. We also discussed how to configure Nginx as a reverse proxy for the nopCommerce application. By following this tutorial, you can set up a secure and reliable nopCommerce e-commerce store on Ubuntu Linux.
In today’s world of online business and communication, security is more important than ever. One essential aspect of website security is SSL (Secure Sockets Layer), a protocol that encrypts data sent between a web server and a user’s web browser. By using SSL, website owners can protect their users’ personal information from being intercepted or stolen by hackers.
In this tutorial, we’ll walk you through the steps to install and secure your website with SSL on Ubuntu 22.04 using Apache2. By the end of this guide, you’ll have a secure, encrypted connection between your web server and your users’ browsers, helping to ensure their safety and privacy.
Section 1: Installing Apache2 on Ubuntu 22.04
Apache2 is a popular open-source web server software that plays a crucial role in hosting websites on the internet. In this section, we will walk through the process of installing Apache2 on Ubuntu 22.04.
Step 1: Update the Package List Before installing any new software, it’s always a good idea to update the package list to ensure you are installing the latest version of the software. To update the package list, open the terminal on Ubuntu 22.04 and run the following command:
sudo apt update
Step 2: Install Apache2 Once the package list is updated, you can proceed with installing Apache2 by running the following command:
sudo apt install apache2
This command will download and install Apache2 along with all its dependencies. During the installation process, you will be prompted to confirm the installation by typing y and pressing Enter.
Step 3: Verify Apache2 Installation To test if Apache2 is working correctly, open a web browser and enter your server’s IP address or domain name in the address bar. You should see the default Apache2 web page.
I hope that helps! Let me know if you have any questions or suggestions for the blog post. If Apache2 is installed correctly, you should see a page that says “Apache2 Ubuntu Default Page”.
Congratulations, you have successfully installed Apache2 on Ubuntu 22.04! In the next section, we will proceed with securing the web server by enabling SSL.
If you encounter any issues like Connection timeout or Unable to reach the website during the verification process, one possible cause could be that the Ubuntu firewall is blocking Apache2 traffic.
To check if Apache2 is currently enabled in the firewall, you can use the following command:
sudo ufw status
If the output shows that the firewall is active and Apache2 is not listed as an allowed service, you can add it by running the following command:
sudo ufw allow 'Apache Full'
This will allow both HTTP (port 80) and HTTPS (port 443) traffic to pass through the firewall, ensuring that your website is accessible to visitors.
Section 2: Installing SSL Certificate on Ubuntu 22.04 with Apache2
There are different types of SSL certificates, including domain validated, organization validated, and extended validation certificates. Each type has different features and provides varying levels of trust and security.
To install an SSL certificate on Ubuntu 22.04 with Apache2, you’ll need to follow these steps:
Obtain an SSL certificate: You can purchase an SSL certificate from a certificate authority (CA) or obtain a free SSL certificate from Let’s Encrypt. If you already have an SSL certificate, make sure it is valid and up-to-date.
Configure Apache2 to use the SSL certificate: Apache2 needs to be configured to use the SSL certificate for secure communication. This involves creating a virtual host for the SSL-enabled website, specifying the SSL certificate and key files, and enabling SSL encryption.
You can read more about different SSL certificate types, the process to create a Certificate signing request(CSR), etc in the below blog post:
This will open a text editor. Add the following code to the file:
<html><head><title>Hello, world!</title></head><body><h1>Hello, world!</h1><p>Welcome to my website!</p></body></html>
5. Reload Apache for the changes to take effect:
sudo systemctl reload apache2
Section 3: Testing SSL on Ubuntu 22.04 with Apache2
Test your SSL configuration by visiting your domain in a web browser and verifying that the SSL certificate is valid and the website loads correctly over HTTPS. The browser should display a padlock icon and the connection should be secure
You can also use the online tools like https://www.sslshopper.com/ssl-checker.html to check the configuration further. It can show if there any issues with certificate chain or trust.
Section 4. Troubleshooting SSL on Ubuntu 22.04 with Apache2
1. Certificate errors: If you encounter a certificate error, such as a warning that the certificate is not trusted or has expired, check the certificate’s validity and ensure it’s installed correctly. You can check the certificate’s details using your web browser, and make sure it matches the domain name and other relevant details.
2. Mixed content warnings: If you see mixed content warnings, which indicate that some parts of the site are not secure, check for any resources that are still being loaded over HTTP instead of HTTPS. This can include images, scripts, and other files.
3. SSL handshake errors: If you see an SSL handshake error, this usually means there’s an issue with the SSL configuration. Check your Apache configuration files and make sure the SSL directives are properly set up. You can also check for any issues with the SSL certificate, such as an invalid or mismatched domain name.
4. Server configuration errors: If the SSL certificate is working properly, but the site is still not loading over HTTPS, check your server configuration files to make sure the VirtualHost configuration is correct. Make sure the correct SSL certificate and key files are specified and that the SSL directives are set up correctly.
5. Browser-specific issues: If you’re only experiencing SSL issues in a specific web browser, make sure the browser is up to date and try clearing the cache and cookies. You can also try disabling any browser extensions that may be interfering with the SSL connection.
Remember, troubleshooting SSL issues can be complex and may require some technical expertise. If you’re not comfortable with these steps or need additional help, it’s always a good idea to consult with a professional. You can contact me at admin @ linuxwebhostingsupport.in
Section 5: Best Practices for SSL Configuration on Ubuntu 22.04 with Apache2
Here are some tips and best practices for configuring SSL on Ubuntu 22.04 with Apache2:
1. Keep SSL certificates up to date: Make sure to renew your SSL certificates before they expire. This can be done through the certificate authority where you purchased the certificate. Keeping your SSL certificates up to date will ensure that your website visitors are not presented with security warnings or errors.
2. Configure Apache2 for HTTPS-only access: Configure your web server to only serve HTTPS traffic. This can be done by redirecting all HTTP traffic to HTTPS. To do this, add the following lines to your Apache virtual host configuration or. htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
3. Use secure ciphers and protocols: Use secure ciphers and protocols to protect the confidentiality and integrity of your website traffic. Disable weak ciphers and protocols such as SSLv2 and SSLv3. Use TLSv1.2 or higher, and prefer the use of forward secrecy. You can configure this in your Apache virtual host configuration file by adding the following lines:
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
You can find more detailed instruction on making your SSL configuration strong and best practices in the below post:
By following these best practices, you can ensure that your SSL configuration is secure and up to date.
Section 6. Summary
In this tutorial, we discussed how to install and configure SSL certificates on Ubuntu 22.04 with Apache2. We covered the different types of SSL certificates, the steps for obtaining and installing an SSL certificate, and how to configure Apache2 to use the SSL certificate. We also discussed how to create virtual hosts for both SSL and non-SSL sites and how to troubleshoot SSL issues.
It’s important to emphasize the importance of SSL for website security and user trust. SSL encryption helps protect sensitive information, such as passwords and credit card numbers, from being intercepted by attackers. Additionally, having a valid SSL certificate gives users confidence that they are interacting with a legitimate website and not an imposter.
To follow best practices for SSL configuration, it’s recommended to keep SSL certificates up to date, configure Apache2 for HTTPS-only access, and use secure ciphers and protocols. By following these best practices, website owners can help ensure the security and trustworthiness of their website.
phpMyAdmin is installed with CentOS Web Panel. By default, it is not protected and there is only MySQL user authentication. This can put your server vulnerable. So it is recommended to add additional layer protection.
phpMyAdmin is available through the following url in a CWP based server.
http:/hostname/phpmyadmin http:/hostname:2030/pma
CWP panel runs its core services through its own version of Nginx. So normal htaccess based password protection will not work.
Create the Password File
You can do this by using the OpenSSL utilities that may already be available on your server. Alternatively, you can use the purpose-made htpasswd utility included in the apache2-utils package(Debian/ubuntu) or httpd-tools(Redhat/Centos).
Using OpenSSL Utilities
We will create a hidden file called .pma_pass /usr/local/cwpsrv/var/services/ folder. You can use any username. I am using dbadmin here as an example
sudo sh -c "echo -n 'dbadmin:' >> /usr/local/cwpsrv/var/services/.pma_pass"
Next, add an encrypted password entry for the username by typing:
sudo sh -c "openssl passwd -apr1 >> /usr/local/cwpsrv/var/services/.pma_pass"
Using Apache Utilities
This tool is already installed and available on all CWP servers.
We will need to configure Nginx to read this file before serving our protected content. CWP Service Nginx configuration file: /usr/local/cwpsrv/conf/cwp_services.conf
Open the above file add the following to the location block of phpMyAdmin.
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt
Apache: Multiple SSL websites on a single IP address
Update: This is a new update from a cPanel Tech “There is nothing to enable. As long as you are using cPanel & WHM version 11.38 on CentOS, RHEL, or CloudLinux version 6 or newer, SNI works out of the box”.
One of the frustrating limitations in supporting secure websites has been the inability to share IP addresses among SSL websites. When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. Well we can actually share IP addresses for multiple secure websites. Solving this limitation required an extension to the Transport Layer Security (TLS) protocol that includes the addition of what hostname a client is connecting to when a handshake is initiated with a web server. The name of the extension is Server Name Indication (SNI). SNI is supported in Apache v2.2.12 , and OpenSSL v0.9.8j or later.
With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate
Prerequisites to use SNI
Use OpenSSL 0.9.8f or later Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default). Apache must have been built with that OpenSSL (./configure –with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI. Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)
Setting up SNI with Apache
The configuration is pretty simple and straight forward, though I recommend making a backup of your existing httpd.conf file before proceeding.
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example2
ServerName www.linuxwebhostingsupport.in
# Other directives here
SSLEngine On
SSLCertificateFile /path/to/linuxwebhostingsupport.in.crt
SSLCertificateKeyFile /path/to/linuxwebhostingsupport.in.key
SSLCertificateChainFile /path/to/CA.crt
DocumentRoot /www/example2
ServerName www.abdulwahabmp.co.in
# Other directives here
SSLEngine On
SSLCertificateFile /path/to/abdulwahabmp.co.in.crt
SSLCertificateKeyFile /path/to/abdulwahabmp.co.in.key
SSLCertificateChainFile /path/to/CA.crt
That it!!!. Just restart APache service. Now go and check your Websites using https. That should be working.
Plesk support SNI from 10.2.x version onwards.
SNI will work on following Operating systems out of box
OpenSuSE Linux 11.3 or later. Ubuntu Linux 10.4 or later. Debian Linux 6.0 or later. RedHat Linux 6.0 or later. CentOS Linux 60.0 or later
Supported Desktop Browsers Internet Explorer 7 and later Firefox 2 and later Opera 8 with TLS 1.1 enabled Google Chrome: Supported on Windows XP on Chrome 6 and later Supported on Vista and later by default OS X 10.5.7 in Chrome Version 5.0.342.0 and later Chromium 11.0.696.28 and later Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later). Note: No versions of Internet Explorer on Windows XP support SNI