lab7
pdf
keyboard_arrow_up
School
Northern Kentucky University *
*We aren’t endorsed by this school
Course
436
Subject
Information Systems
Date
Apr 3, 2024
Type
Pages
4
Uploaded by KidFire12260
CIT 436 Lab 7 Due Monday, February 26 by 8 am (emailed to foxr@nku.edu
) In this lab, you implement HTTPS, HTTP2 and authentication in your Apache server. You also take a brief look at controlling HTTP response headers. Boot your VM, open three terminal windows and su to root in all three and open your web browser. (1) cd to /usr/local/apache2/bin and start Apache, (2) cd to /usr/local/apache2/conf and load httpd.conf
into vi
, (3) cd to /usr/local/apache2
. 1. In order for Apache to perform user authentication we need a password file and for Apache to use HTTPS we need an X.509 certificate. In this step, we create these files. a. (3) create a subdirectory called passwords
, cd into it. Four programs in bin are htdbm
, htdigest
, htpasswd and dbmmanage used to create/manipulate password file. dbm programs store passwords using hashing making it more efficient for large files, the other two use flat file storage. digest stores passwords in binary (unreadable). We will use the easiest of these four programs, htpasswd
. (1) Create our initial passwords file along with an initial account (
system
) with ./htpasswd -c ../passwords/passwords1 system
. When prompted, use cit436 for the password. Use the same command without -c replacing system with student to create a second entry, use cit436 for the password. (3) Type cat passwords1
. In spite of the passwords being the same, they are not stored the same. Why not? b. (1) Type ./htpasswd -v ../passwords/passwords1 student
. Enter the password when prompted. What output did you get? View htpasswd
’s man page. What is the default algorithm used to encrypt the passwords. c. (1) Type ./htpasswd -p ../passwords/passwords zappaf
. What warning are you given? For the password, use music
. (3) Type cat passwords1
. How does zappaf’s entry differ from the other users? What does option -p
do? d. We will use openssl to generate an X.509 certificate and the public and private keys. (3) Make sure it is installed (
which openssl
, if not, type dnf -y install openssl
). Type openssl -help
. There are three parts to the help listing, standard openssl commands, message digest commands and available ciphers (scroll up to see the listings of commands). To generate a private key using the RSA we use genrsa
. Type man openssl-genrsa to view this specific command’s man page. This is a very complex instruction. We will first generate a simple key. Type q to exit man and then openssl genrsa 512
. The key is displayed in the window. 512 is the smallest key allowed with RSA. How many lines worth of characters is our key? The key is encoded using Base64 (see section 4.5 of the textbook to read about Base64 encoding). Base64 uses upper and lower case letters, digits and two punctuation marks. What are the two available punctuation marks? (
= is not one, it is used for padding). Create a private key of length 2048 using openssl
but save the file to ourkey.key
. What command did you enter? e. (3) Use the private key to generate a public key with openssl rsa -in ourkey.key -pubout -out ourkey.pub
. View ourkey.pub
. What text appears at the top and bottom? How do the two keys’ sizes and permissions differ (use ls -l
). f. (3) Now, create an X.509 certificate using the private key with the instruction openssl req -new -key ourkey.key -out ourcert.csr
. You will be asked
information about your “organization”; use cit436 for organization name, IT for organizational unit name, cit436server for common name, your email address, cit436 for the challenge password and leave the optional company name blank. The csr file created is not the certificate but a certificate request
. When creating the actual certificate, we add an expiration date of 365 days. Type openssl x509 -req -days 365 -in ourcert.csr -signkey ourkey.key -out ourcert.crt
. This is our certificate file, but it is encoded. View the certificate and you will find it is all encoded in Base64 and not comprehensible. To view it in a readable way, type openssl x509 -noout -text -in ourcert.crt | less
. The non-key portions are shown in normal text, answer the following. What are the values found under Issuer? What are the validity dates (both Not Before and Not After
)? These are followed by Subject (which repeats the Issuer data) followed by the public key. What encryption algorithm was used for the public key? What bit size is it? What exponent was used? This is followed by the signature value. Our certificate’s signature is invalid because it hasn’t been signed by a signature authority. As we will not be using our certificate for a legitimate website, we won’t bother getting it signed (usually signing costs money although there are signature authorities that will sign a certificate for free for a trial period). Exit less (
q
). 2. We now implement authentication. a. (3) cd to htdocs and create two subdirectories called sub1 and sub2 (for subscribers). The contents of sub1 will be accessible by users who successfully authenticate using passwords1 and sub2 will be accessibly only to the system user and only from your VM. In sub1 add the file file7.html and in sub2 add the file file8.html with both files storing <html><body>file
#
.html</body></html> where # is 7 or 8
. (2) Create two <Directory> containers, one each for sub1 and sub2
. Both will look nearly identical with the following directives except use 1 and 2 for # in the two containers. AuthType Basic AuthName “Access to sub#” AuthUserFile /usr/local/apache2/passwords/passwords1 For sub1
, add Require valid-user at the bottom of the container, and for sub2 add Require user system and Require ip ipaddress on separate lines (using your VM’s IP address). Save your conf file and (1) restart Apache. In your browser, enter the URL ipaddress
/sub1/file7.html
. When asked to login, use student and cit436
. When asked to save your password information, select Don’t Save
. Now attempt to access ipaddress
/sub2/file8.html using your user account. What happens? Notice how you were not asked to authenticate. With two Require directives, Apache assumes that if either is true then access is permitted (that is, the two directives act like a logical OR). Since you qualify by being on the IP address listed, you did not need to login as system
. (2) In sub2
’s <Directory> container, place the two Require directives inside a container of <RequireAll>…</RequireAll>
, save your conf file, restart Apache and refresh your browser. How did this attempt differ from above? Login as student
. Why weren’t you able to log in? Select Cancel
. What message did you get? Refresh the page and log in using system instead (password cit436
), don’t save the password. Retry sub1/file7.html logging in as zappaf (password is music
). Select Cancel
. Why did zappaf’s attempt fail when you used a legal password?
b. In your “outer” computer’s web browser, use ipaddress
/sub2/file8.html where ipaddress
is your VM’s IP address. What happens? You didn’t even get the opportunity to authenticate. (2) Change the RequireAll container’s header and footer to RequireAny
, save your conf file, (1) restart Apache, refresh your browser in your “outer” computer, log in using student
/
cit436
. What happens this time? Retry using system
/
cit436
. Explain who is allowed to access file7.html
. Explain who is allowed to access file8.html when RequireAll is in use. Explain who is allowed to access file8.html when RequireAny is in use. 3. We use HTTPS when we want our website to employ encryption. This not only requires the X.509 certificate that we created earlier but a module called mod_ssl
, which we need to install. (3) cd to /usr/local/apache2/modules and type the following. dnf download mod_ssl rpm -i --nodeps mod_ssl-2.4.57-3.el9.x86_64.rpm mv /usr/lib64/httpd/modules/mod_ssl.so . The certificate not only provides the public key to the user but also informs the browser that the site is legitimate (not a spoofed site). With our X.509 certificate, let’s now set your server up to handle HTTPS. Surprisingly, this only involves a few directives. a. (2) Add LoadModule ssl_module modules/mod_ssl.so after the last LoadModule directive this directive. Add the following at the bottom of the file (the second to last directive should be on one line with no space between / and ourkey.key
). <VirutalHost ipaddress
:443> SSLEngine on SSLCertificateFile /usr/local/apache2/passwords/ourcert.crt SSLCertificateKeyFile /usr/local/apache2/passwords/ ourkey.key </VirtualHost> HTTPS may use but does not require authentication so we won’t need to add authentication directives. Save your conf file, (1) restart Apache, and access ipaddress in your browser. Now try https://
ipaddress
. What happens? Leave this as is for now. b. In your “outer” computer, access https://
ipaddress
. What happens? Recall that your firewall had to be opened for 80/HTTP. We similarly need to open https over port 443 and we need to tell our server to listen to port 443
. (3) Type the following three commands: firewall-cmd --zone=public --add-service=https
, firewall-cmd --zone=public --add-port=443/tcp and firewall-cmd --runtime-to-permanent
. (2) Find the directive Listen 80 and add beneath it Listen ipaddress
:443
. Notice we specify both the IP address and port whereas in the first Listen directive we were allowed to omit the IP address. Save your conf file, (1) restart Apache, and refresh your “outer” computer’s browser. What happens this time? You can close this tab in your “outer” computer. c. The reason you are given the security warning in both browsers is because the certificate your browser received is self-signed
. In your VM’s browser, select Advanced… and scroll down to read more about the security issue. What error code is listed? Click on the error code link and it shows the full error at the bottom of the page. What does it say about your certificate? Click on Accept the Risk and Continue
. What happens now?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
d. Select the Menu button (3 lines), scroll down to Settings
. From the Settings tab, select the padlock icon (
Security
), scroll down to the section Certificates
. Select View Certificates… and then the Servers tab. You should have an entry for your server (likely the only one listed). What is listed under Server? What other heading is listed in the table? Select the certificate and click on Delete… (you may need to scroll down to find this button) and OK
. Close the window and the Settings tab. From the menu select History > Clear recent history… and OK to clear everything. Refresh your browser page. Select Go Back
. What happens?
4. Another protocol is HTTP/2. Like with mod_ssl
, we need to install mod_http2
. (3) If you are not still in Apache’s modules directory, cd there. Type dnf download mod_http2 followed by rpm -i --nodeps mod_http2-1.15.19-4.el9.x86_64.rpm and mv /usr/lib64/httpd/modules/mod_http2.so . to move it to this directory. (2) Beneath the LoadModule entry you added in 3a, add the directive LoadModule http2_module modules/mod_http2.so to your conf file, save it and (1) restart Apache. (3) Type curl -v --http2 http://
ipaddress -o index.html
. This retrieves index.html using HTTP2. Step through the output and you will see two HTTP2 headers, Upgrade and HTTP2-Settings
, along with an HTTP2-specific Connection header. What specifically do these three headers have as values? The HTTP2-Settings value looks like garbage but is actually a base64 encoding of the payload settings (see figure 4.19 on page 157). Repeat the curl command but use https instead of http
. You won’t find these three HTTP2 headers but near the top of the output is a message of offering http2
. What is offering it and what else does it offer? What does this abbreviation stand for? (look it up on the Internet). Near the bottom of the output, it says curl failed. For what reason? Repeat the command adding -k after -v
. It succeeds this time. What does the option -k do? 5. We wrap up with the topic of controlling HTTP response headers, which we can modify by changing values, adding new headers, deleting headers, although some headers are required and we cannot delete those. Some headers are used to for cache control (how long a returned document can be cached) which we look at when we explore Squid and proxy servers. a. (3) Type echo -e “HEAD / HTTP/1.0\r\n\r\n” | nc ipaddress 80
. Look at the headers returned. (2) Make sure the LoadModule for mod_header is uncommented. At the bottom of the conf file, add the directive Header set City “Highland Heights, KY”
, save your conf file, (1) restart Apache and (3) redo the echo command. Where was this header added (which line) in the response? b. set either adds a header or changes an existing one. (2) Add the directive Header set Accept-Ranges “words”
, save your conf file, (1) restart Apache and (3) reissue the echo command. Compare the Accept-Ranges value before this change and after. (2) Change this to Header unset Accept-Ranges
, save the conf file, (1) restart Apache and (3) redo the echo command. How does this response differ? unset is used to remove headers; try change the above directive to instead unset Date
, (2) save the conf file, (1) restart Apache and (3) redo the echo command). What happens? Date is one of the headers that must appear, another is Content-Length and Content-Type. Try this with ETag and Server
. Which can you remove with this approach? See page 347 of the textbook for more on the Header directive. We revisit Headers in lab 12 (for cache control).