APACHE OPENSSL CERTIFICATE, PHP MYSQL, HTACCESS WEB DIRECTORY with SQUID WITHOUT SSL AND with SSL SETUP
APACHE+OPENSSL+CERTIFICATE+PHP+MYSQL+HTACCESS WEB DIRECTORY SQUID WITHOUT SSL AND SSL SETUP
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=reverseproxy.node01
:wq!
vi /etc/hosts
### LOCAL SERVER NAME RESOULTION###
127.0.0.1 localhost.localdomain localhost
192.168.254.154 reverseproxy.node01 reverseproxy
### DOMAINS SETTING ###
192.168.254.154 www.homedomain.com
192.168.254.154 www.sindh.com
192.168.254.154 www.islam.edu
192.168.254.154 www.abc.com
192.168.254.154 www.zeeshan.com
192.168.254.154 www.rhce.com
:wq!
yum install httpd php mysql mysql-server mod_ssl mod_auth_mysql mysql-devel
php-devel php php-common php-gd php-mcrypt php-mhash php-xml php-xmlrpc php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear
yum install openssl openssl-devel mod_python python python-devel
yum -y groupinstall “Development Tools”
yum install wget mlocate links
mkdir download
cd download/
wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.5.tar.gz
service httpd start && chkconfig –level 35 httpd on
service mysqld start && chkconfig –level 35 mysqld on
/usr/bin/mysql_secure_installation
Set root password? [Y/n] y
New password: redhat
Re-enter new password: redhat
Password updated successfully!
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
Verify HTTPD MYSQL IS RUNNING.
netstat -antp
service iptables stop
chkconfig –level 35 iptables off
We should Create Document Roots.
cd /var/www/
mkdir site1 site2 site3 site4 site5 site6
We should make index page for site1.
vi site1/index.html
<html>
<body>
<center>SITE1.HOMEDOMAIN.COM -of- 192.168.254.152 Default Apache Server</center>
</body>
</html>
:wq!
We should make index page for site2.
vi site2/index.html
html>
<body>
<center>SITE2.SINDH.COM -of- 192.168.254.152 Default Apache Server</center>
</body>
</html>
:wq!
We should make index page for site3.
vi site3/index.html
<html>
<body>
<center>SITE3.ISLAM.EDU -of- 192.168.254.152 Default Apache Server</center>
</body>
</html>
:wq!
We should make index page for site4.
vi site4/index.html
<html>
<body>
<center>SITE4.ABC.COM WEL COME ABC DOMAIN IS WORKING THIS IS MY FIRST PAGE</center>
</body>
</html>
:wq!
We should make index page for site5.
vi site5/index.html
<html>
<body>
<center>SITE5.ZEESHAN.COM IS WORKING THIS IS MY PERSONAL WEB SITE PLEASE DONT TRYING TO HACK</center>
Regards,
Powerd By Zeehshan Bhatti
SYSTEM ADMINISTRATOR
Arpatech PVT LTD.
</body>
</html>
:wq!
We should make index page for site6.
vi site6/index.html
html>
<body>
<center>WEL COME RED HAT CERTIFIED ENGINEER SITE IS COMING SOON!!!</center>
<center><b>Regards,
Powerd By Zeehshan Bhatti
SYSTEM ADMINISTRATOR
Arpatech PVT LTD.
</b></center>
</body>
</html>
:wq!
Verify PHP is running we create one test PHP Default Page.
vi /var/www/html/test.php
<?php phpinfo();
:wq!
Open Browser & Type <192.168.254.154/test.php
Nice PHP & MYSQL is Running Fine
Now we Configure Apache
vi /etc/httpd/conf/httpd.conf
Listen 81 #on line 136 we change by default Apache Port.
ServerTokens Prod #on line 44 we change by default OS.
ServerSignature Off #on line 44 we change by default On.
:wq!
/etc/init.d/httpd restart
Now we Configure Apache Virtual Host
vi /etc/httpd/conf.d/vhost80.conf
####VIRTUAL HOSTS#####
NameVirtualHost 192.168.254.154:80
<VirtualHost 192.168.254.154:80>
DocumentRoot /var/www/site1
ServerName www.homedomain.com
ErrorLog logs/homedomain.com-error_log
CustomLog logs/homedomain.com-access_log common
SSLEngine off
</VirtualHost>
<VirtualHost 192.168.254.154:80>
DocumentRoot /var/www/site2
ServerName www.sindh.com
ErrorLog logs/sindh.com-error_log
CustomLog logs/sindh.com-access_log common
SSLEngine off
</VirtualHost>
<VirtualHost 192.168.254.154:80>
DocumentRoot /var/www/site3
ServerName www.islam.edu
ErrorLog logs/islam.edu-error_log
CustomLog logs/islam.edu-access_log common
SSLEngine off
</VirtualHost>
[root@localhost www]# tail -f /var/log/httpd/homedomain.com-access_log
192.168.254.1 – – [07/Jun/2013:01:01:58 +0500] “GET /favicon.ico HTTP/1.1” 404 209
192.168.254.1 – – [07/Jun/2013:01:01:58 +0500] “GET /favicon.ico HTTP/1.1” 404 209
root@localhost www]# tail -f /var/log/httpd/sindh.com-access_log
192.168.254.1 – – [07/Jun/2013:01:04:12 +0500] “GET /favicon.ico HTTP/1.1” 404 209
192.168.254.1 – – [07/Jun/2013:01:04:13 +0500] “GET /favicon.ico HTTP/1.1” 404 209
[root@localhost www]# tail -f /var/log/httpd/islam.edu-access_log
192.168.254.1 – – [07/Jun/2013:01:04:26 +0500] “GET /favicon.ico HTTP/1.1” 404 209
192.168.254.1 – – [07/Jun/2013:01:04:27 +0500] “GET /favicon.ico HTTP/1.1” 404 209
That’s Great our all 3 There Sites Logs is Showing Sites are up and Running fine
We should configure SSL.conf for SSL VHOST Sites.
cd /etc/httpd/conf.d/
vi ssl.conf
Listen 220 #Please Change By default Port 443 into 220 for Reverse Proxy Setting
#<VirtualHost _default_:443> #Please you just comment the directive
#please Insert in the end of File Virtual Host as per you domains
###SSL CERTIFICATE BASED WEB SITES ###
###WWW.ABC.COM###
NameVirtualHost 192.168.254.154:220
<VirtualHost 192.168.254.154:220>
DocumentRoot /var/www/site4
ServerName www.abc.com
ErrorLog logs/abc.com-ssl_error_log
TransferLog logs/abc.com-ssl_access_log
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/abc.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/abc.com.key
</VirtualHost>
####WWW.ZEESHAN.COM VHOST###
<VirtualHost 192.168.254.154:220>
DocumentRoot /var/www/site5
ServerName www.zeeshan.com
ErrorLog logs/zeeshan.com_ssl-error_log
CustomLog logs/zeeshan.com_ssl-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/zeeshan.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/zeeshan.com.key
</VirtualHost>
####WWW.RHCE.COM VHOST###
<VirtualHost 192.168.254.154:220>
DocumentRoot /var/www/site6
ServerName www.rhce.com
ErrorLog logs/rhce.com-error_log
CustomLog logs/rhce.com-access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/rhce.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/rhce.com.key
:wq!
Now we generate certificates.
cd /etc/pki/tls/certs/
make abc.com.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > abc.com.key
Generating RSA private key, 2048 bit long modulus
.+++
.+++
e is 65537 (0x10001)
Enter pass phrase:redhat #Please give password
Verifying – Enter pass phrase:redhat #Please again provide same password
openssl rsa -in abc.com.key -out abc.com.key
Enter pass phrase for abc.com.key:redhat #Please again provide same password
writing RSA key
make abc.com.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key abc.com.key -out abc.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:SINDH
Locality Name (eg, city) [Default City]:KARACHI
Organization Name (eg, company) [Default Company Ltd]:ABC PVT LTD.
Organizational Unit Name (eg, section) []:IT DEPARTMENT
Common Name (eg, your name or your server’s hostname) []:www.abc.com
Email Address []:[email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:
Please Verify Now Your Generated Certificate
openssl x509 -in abc.com.csr -out abc.com.crt -req -signkey abc.com.key -days 3650
Signature ok
subject=/C=PK/ST=SINDH/L=KARACHI/O=ABC PVT LTD./OU=IT DEPARTMENT/CN=www.abc.com/emailAddress=\x09\[email protected]
Getting Private key
chmod 400 abc.com.*
Now we generate zeeshan.com certificate
make zeeshan.com.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > zeeshan.com.key
Generating RSA private key, 2048 bit long modulus
…+++
…………………+++
e is 65537 (0x10001)
Enter pass phrase:redhat # Please set password
Verifying – Enter pass phrase:redhat #Same Password again.
openssl rsa -in zeeshan.com.key -out zeeshan.com.key
Enter pass phrase for zeeshan.com.key:redhat
writing RSA key
make zeeshan.com.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key zeeshan.com.key -out zeeshan.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:SINDH
Locality Name (eg, city) [Default City]:KARACHI
Organization Name (eg, company) [Default Company Ltd]:ZEESHAN PVT LTD.
Organizational Unit Name (eg, section) []:IP OPERATIONS
Common Name (eg, your name or your server’s hostname) []:www.zeeshan.com
Email Address []:[email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:REDHAT
openssl x509 -in zeeshan.com.csr -out zeeshan.com.crt -req -signkey zeeshan.com.key –
days 3650
Signature ok
subject=/C=PK/ST=SINDH/L=KARACHI/O=ZEESHAN PVT LTD./OU=IP OPERATIONS/CN=www.zeeshan.com/[email protected]
Getting Private key
chmod 400 zeeshan.com.*
Now we generate rhce.com certificate
make rhce.com.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > rhce.com.key
Generating RSA private key, 2048 bit long modulus
….+++
……+++
e is 65537 (0x10001)
Enter pass phrase:redhat # Please set password
Verifying – Enter pass phrase:redhat #Same Password again.
openssl rsa -in rhce.com.key -out rhce.com.key
Enter pass phrase for rhce.com.key:redhat
writing RSA key
make rhce.com.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key rhce.com.key -out rhce.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:SINDH
Locality Name (eg, city) [Default City]:KARACHI
Organization Name (eg, company) [Default Company Ltd]:RHCE PVT LTD PROMETRIC CENTER.
Organizational Unit Name (eg, section) []:IT DEPARTMENT
Common Name (eg, your name or your server’s hostname) []:www.rhce.com
Email Address []:[email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:
openssl x509 -in rhce.com.csr -out rhce.com.crt -req -signkey rhce.com.key -days 3650
Signature ok
subject=/C=PK/ST=SINDH/L=KARACHI/O=RHCE PVT LTD PROMETRIC CENTER./OU=IT DEPARTMENT/CN=www.rhce.com/[email protected]
Getting Private key
chmod 400 rhce.com.*
Great All Certificates Successfully we generated!
Finally we can restart Apache web Service
/etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Open Web Browser and type https://www.abc.com
tail -f /var/log/httpd/abc.com-ssl_access_log
192.168.254.1 – – [07/Jun/2013:18:24:40 +0500] “GET / HTTP/1.1” 200 114
192.168.254.1 – – [07/Jun/2013:18:24:41 +0500] “GET /favicon.ico HTTP/1.1” 404 209
Great www.abc.com is Running Fine and logs is showing
Open Web Browser and type https://www.zeeshan.com
tail -f /var/log/httpd/zeeshan.com_ssl-access_log
192.168.254.1 – – [07/Jun/2013:18:24:50 +0500] “GET / HTTP/1.1” 200 211
192.168.254.1 – – [07/Jun/2013:18:24:52 +0500] “GET /favicon.ico HTTP/1.1” 404 209
Great www.zeeshan.com is Running Fine and logs is showing
Open Web Browser and type https://www.rhce.com/
tail -f /var/log/httpd/rhce.com_ssl-access_log
192.168.254.1 – – [07/Jun/2013:18:31:54 +0500] “GET / HTTP/1.1” 200 209
192.168.254.1 – – [07/Jun/2013:18:31:55 +0500] “GET /favicon.ico HTTP/1.1” 404 209
Great www.rhce.com is Running Fine and logs is showing
We configure .htaccss based Password Protected Web Directory in Apache.
cd /var/www/site2/
mkdir lock
htpasswd –c .htpasswd redhat
Adding password for username.New password:bhattipasswordRe-type new password:bhatti
vi /etc/httpd/conf/httpd.conf #Insert these lines in the end of file.
<Directory /var/www/site2/lock>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
:wq!
Now we Start Squid Source package Installation.
cd root/download/
tar -xzvf squid-3.3.5.tar.gz
mv squid-3.3.5.tar.gz /tmp/
cd squid-3.3.5/
mkdir /opt/squid
./configure –prefix=/opt/squid –enable-shared=yes –enable-static=no –enable-carp –enable-storeio=aufs,ufs –enable-removal-policies=heap,lru –disable-icmp –disable-delay-pools –disable-esi –enable-icap-client –enable-useragent-log –enable-referer-log –disable-wccp –enable-wccpv2 –disable-kill-parent-hack –enable-snmp –enable-cachemgr-hostname=localhost –enable-arp-acl –disable-htcp –disable-forw-via-db –enable-follow-x-forwarded-for –enable-cache-digests –disable-poll –enable-epoll –enable-linux-netfilter –disable-ident-lookups –enable-default-hostsfile=/etc/hosts –with-default-user=squid –with-large-files –enable-mit=/usr –with-logdir=/var/log/squid –enable-http-violations –enable-zph-qos –with-filedescriptors=65536 –enable-gnuregex –enable-async-io=64 –with-aufs-threads=64 –with-pthreads –with-aio –enable-default-err-languages=English –enable-err-languages=English –disable-hostname-checks –enable-underscores –enable-ssl ; make; make install && echo “SQUID SUCCESS” || echo “SQUID FAILED”
Great Compilation Not getting any Error it should successfully Done.
cd /opt/squid/etc/
vi squid.conf
http_port 3128 #Please Insert these lines bellow in this Directive.
http_port 80 accel defaultsite=www.homedomain.com vhost
http_port 80 accel defaultsite=www.sindh.com vhost
http_port 80 accel defaultsite=www.islam.edu vhost
https_port 443 accel cert=/etc/pki/tls/certs/abc.com.crt key=/etc/pki/tls/certs/abc.com.key defaultsite=www.abc.com vhost
https_port 443 accel cert=/etc/pki/tls/certs/zeeshan.com.crt key=/etc/pki/tls/certs/zeeshan.com.key defaultsite=www.zeeshan.com vhost
https_port 443 accel cert=/etc/pki/tls/certs/rhce.com.crt key=/etc/pki/tls/certs/rhce.com.key defaultsite=www.rhce.com vhost
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /opt/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /opt/squid/var/cache/squid
#Please Insert these lines in the end of File.
#######################################################################
######SQUID SERVER AS REVERS PROXY FOR APACHE WEB SERVER FOR PORT 81###
#######################################################################
cache_peer 192.168.254.154 parent 81 0 no-query originserver login=PASS name=saturn
#####################################################################
###SQUID SERVER AS REVERS PROXY FOR APACHE WEB SERVER FOR PORT 220###
#####################################################################
cache_peer 192.168.254.154 parent 220 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=zeeshan
####################################################
### ACL’s FOR APACHE WEB SERVER VHSOT FOR PORT 81###
####################################################
acl saturn_users dstdomain www.homedomain.com
acl saturn_users dstdomain www.sindh.com
acl saturn_users dstdomain www.islam.edu
#####################################################
### ACL’s FOR APACHE WEB SERVER VHSOT FOR PORT 220###
#####################################################
acl zee dstdomain www.abc.com
acl zee dstdomain www.zeeshan.com
acl zee dstdomain www.rhce.com
#################################
### HTTP ACCESS ALLOW FOR ACLS###
#################################
http_access allow saturn_users
http_access allow zee
#############################
###CACHE PEER ALLOW RULES####
#############################
cache_peer_access saturn allow saturn_users
cache_peer_access zeeshan allow zee
###########################
###CACHE PEER DENY RULES###
###########################
cache_peer_access saturn deny all
cache_peer_access zeeshan deny all
visible_hostname reverseproxy.node01
:wq!
chown squid:squid var/ -R
./sbin/squid –z
./sbin/squid –
ps aux | grep squid
root 1692 0.0 0.7 15264 3936 ? Ss 22:12 0:00 ./squid
squid 1694 3.4 3.3 45344 17352 ? S 22:12 0:00 (squid-1)
squid 1695 0.0 0.1 3632 976 ? S 22:12 0:00 (logfile-daemon) /var/log/squid/access.log
squid 1696 0.0 0.1 3480 888 ? S 22:12 0:00 (unlinkd)
root 1698 0.0 0.1 4356 748 pts/0 S+ 22:12 0:00 grep squid
Great Squid is Started & Log and Process is Showing Squid is running as Normal Condition.
/sbin/service httpd restart
Stopping httpd: [FAILED] OHHHHHHHHHHHHHHHH
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:220
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:220
no listening sockets available, shutting down
Unable to open logs
Resolution of this Error
vi /etc/selinux/config
SELINUX=disabled
:wq!
setenforce 0
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1304/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1166/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1407/master
tcp 0 52 192.168.254.154:22 192.168.254.1:34160 ESTABLISHED 1477/sshd
tcp 0 0 :::80 :::* LISTEN 1694/(squid-1)
tcp 0 0 :::81 :::* LISTEN 1661/httpd
tcp 0 0 :::22 :::* LISTEN 1166/sshd
tcp 0 0 :::3128 :::* LISTEN 1694/(squid-1)
tcp 0 0 :::443 :::* LISTEN 1694/(squid-1)
tcp 0 0 :::220 :::* LISTEN 1661/httpd
tail -f /var/log/squid/access.log
1370625428.239 135 192.168.254.1 TCP_MISS/304 289 GET http://www.homedomain.com/ – FIRSTUP_PARENT/192.168.254.154 –
1370625428.417 2 192.168.254.1 TCP_MISS/404 614 GET http://www.homedomain.com/favicon.ico – FIRSTUP_PARENT/192.168.254.154 text/html
That’s Great www.homedomain.com is running Fine!
tail -f /var/log/httpd/homedomain.com-access_log
192.168.254.154 – – [07/Jun/2013:22:17:08 +0500] “GET /squid-internal-periodic/store_digest HTTP/1.1” 404 315
192.168.254.154 – – [07/Jun/2013:22:17:08 +0500] “GET / HTTP/1.1” 304 –
192.168.254.154 – – [07/Jun/2013:22:17:08 +0500] “GET /favicon.ico HTTP/1.1” 404 293
That’s Great www.homedomain.com is running Fine!
tail -f /var/log/squid/access.log
1370625559.985 98 192.168.254.1 TCP_MISS/200 522 GET https://www.abc.com/ – FIRSTUP_PARENT/192.168.254.154 text/html
1370625560.145 30 192.168.254.1 TCP_MISS/404 608 GET https://www.abc.com/favicon.ico – FIRSTUP_PARENT/192.168.254.154 text/html
That’s Great https:\\www.abc.com is running Fine!