Workshop:2012/05/12
Workshop (to be) held on 2012/05/12 at 11:00 in morse-house
Previous workshop: 28 April 2012 11:00:00 Next workshop: 17 May 2012 18:00:00
morse & colins impromptu hacking session
Install 'pear' on auth2
apt-get install php-pear
pear install Archive_Tar
Disable dhcp!
when re-installing auth2, ensure DNS is configured properly, /etc/resolv.conf:
nameserver 10.13.0.254 nameserver 10.13.0.252 nameserver 152.78.68.1 nameserver 152.78.70.1 domain sown.org.uk search ecs.soton.ac.uk sown.org.uk
when re-installing auth2, install quagga and configure it:
apt-get install quagga
edit /etc/quagga/debian
zebra=yes bgpd=no ospfd=no ospf6d=no ripd=yes ripngd=yes isisd=no
edit /etc/quagga/ripd.conf
hostname auth2.sown.org.uk password sown zebra password enable password sown zebra-enable password log file /var/log/quagga/ripd.log ! key chain sown key 1 key-string sown rip password ! interface eth1 ip rip authentication mode md5 auth-length old-ripd ip rip authentication key-chain sown ! router rip version 2 network eth1 distribute-list sown in eth1 distribute-list sown out eth1 route 152.78.189.90/32 ! access-list sown permit 152.78.189.0/24 access-list sown permit 10.12.0.0/15 access-list sown deny any access-list vtylist permit 127.0.0.1/32 access-list vtylist deny any ! line vty access-class vtylist
edit /etc/quagga/ripngd.conf:
hostname sown-auth2.sown.org.uk password sown zebra password enable password sown zebra-enable password log file /var/log/quagga/ripd.conf ! router ripng network eth1 distribute-list sown in eth1 distribute-list sown out eth1 ! access-list vtylist permit 127.0.0.1/32 access-list vtylist deny any ! ipv6 access-list sown permit 2001:630:d0:f104::/64 ipv6 access-list sown permit 2001:630:d0:f700::/55 ipv6 access-list sown permit fec0::/16 ipv6 access-list sown deny any line vty access-class vtylist !
edit /etc/quagga/zebra.conf:
hostname auth2.sown.org.uk password sown zebra password enable password sown zebra-enable password log file /var/log/quagga/zebra.log ! interface eth0 ipv6 nd suppress-ra ! interface eth1 ipv6 nd suppress-ra ! interface eth2 ipv6 nd suppress-ra ! interface eth3 ipv6 nd suppress-ra ! interface eth4 ipv6 nd suppress-ra ! interface eth5 ipv6 nd suppress-ra ! interface lo ! ip route 152.78.189.90/32 10.13.0.239 ! access-list vtylist permit 127.0.0.1/32 access-list vtylist deny any ! ip forwarding ipv6 forwarding ! ! line vty access-class vtylist
Enable SSL
sudo a2enmod ssl
Update /etc/apache2/sites-enabled/000-default to include ssl:
<VirtualHost *:80> ServerAdmin support@sown.org.uk DocumentRoot /srv/www/default <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /srv/www/default> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> <VirtualHost *:443> ServerAdmin support@sown.org.uk DocumentRoot "/srv/www/default" SSLEngine on # StdEnvVars is required to pass SSL values on to php # ExportCertData is required to give php the _whole_ certificate SSLOptions +StrictRequire +StdEnvVars +ExportCertData <Directory /> SSLRequireSSL </Directory> <Location /package/> SSLCACertificatePath /etc/apache2/ssl/ SSLVerifyClient require </Location> SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLProxyEngine off <IfModule mime.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfModule> </VirtualHost>
Create the directory this refers to:
mkdir /etc/apache2/ssl
[GeneratingSSLKeys|Generate an SSL Certificate]
Dump the new certificate/key in /etc/apache2/ssl and set permissions:
chmod 0400 /etc/apache2/ssl/server.*
Ensure the SSL certificate is signed by 'a' CA, and the CA is trusted by the node. Dump the CA certificate into the nodes /etc/ssl/certs directory, create a hash symlink:
openssl x509 -noout -hash -in cacert.pem 7b764664
On the node:
ln -s sown.pem 7b764664.0