web server | David DeMartini actual

Stratux has a rich community of forums, and a lot of information about debugging Strtux, but so far good hacking information is really hard to find. One of the things of most interest to me was “What is severing up this webpage?”

Every search was a dead end, so I went back to my *NIX system administration roots and thought.. “Well, if someone wont admit what’s serving up the stream.. I’ll find out for myself.

Who’s Your Server? — gen_gdl90

A couple of quick commands told me which PID was hanging onto Port 80 and from there which process was associated with the PID:



root@raspberrypi:~# fuser 80/tcp

80/tcp:               3110

root@raspberrypi:~# ps aux | grep 3110

root      3110 51.9  2.9 973132 27600 ?        Ssl  15:19  47:03 /usr/bin/gen_gdl90

root      6606  0.0  0.2   4276  1904 pts/0    S+   16:50   0:00 grep 3110

What files does it have open?

Once I had an idea of who’m I was looking for, running lsof with the port number gave me 60 entries… and bingo.. there was the nugget of gold I was looking for:



root@raspberrypi:~# lsof -p 3110

COMMAND    PID USER   FD      TYPE     DEVICE  SIZE/OFF   NODE NAME

gen_gdl90 3110 root  cwd       DIR      179,2      4096      2 /

[...]

gen_gdl90 3110 root   35u     IPv6    1849628       0t0    TCP StratuxWiFi.io:http->10.100.0.188:49157 (ESTABLISHED)

gen_gdl90 3110 root   36u     IPv6     210216       0t0    TCP StratuxWiFi.io:http->10.100.0.188:64155 (ESTABLISHED)

gen_gdl90 3110 root   37u     IPv6    1859641       0t0    TCP StratuxWiFi.io:http->10.100.0.188:49165 (ESTABLISHED)

gen_gdl90 3110 root   38u     IPv6    1759876       0t0    TCP StratuxWiFi.io:http->10.100.0.188:65420 (ESTABLISHED)

gen_gdl90 3110 root   41u     IPv6    1778784       0t0    TCP StratuxWiFi.io:http->10.100.0.188:65442 (CLOSE_WAIT)

gen_gdl90 3110 root   48r      REG      179,2    146998  51146 /var/www/maui/js/angular.min.js

The Web Path

Once onto the trail of the web path, I see that this is an Angular based application (ugh.. I really despise Angular.. I just do.), and all based on some JS stuffs. I get it. for an app like this the two-way data binding of Angular is probably the right too; but I still do not (no do I have to) like it.



root@raspberrypi:~# cd /var/www/maui/

root@raspberrypi:/var/www/maui# ls -l

total 12

drwxr-xr-x 2 root root 4096 Mar 15  2016 css

drwxr-xr-x 2 root root 4096 Mar 15  2016 fonts

drwxr-xr-x 2 root root 4096 Mar 15  2016 js

root@raspberrypi:/var/www/maui#

What I was hoping to find was the location of the that status page.. but.. I believe that what I’m looking for now is the .JS file that manages that label. Initially this looked like a dead end…



root@raspberrypi:/var/www/maui# egrep -r Distance *

root@raspberrypi:/var/www/maui#

Realiazing this was some templating sub-directory, and the root was likely at /var/www, I ran another search that found the location of the desired string, and likely the location of the parts I’m looking for:



root@raspberrypi:~# cd ..

root@raspberrypi:/var/www# egrep -lnr 'Distance' *



  plates/js/traffic.js

  plates/traffic-help.html

  plates/traffic.html

Justification

Are you a developer that commonly uses SSL / HTTPS communications on your websites? Do you have multiple development environments hosted on the same domain (such as separate client demo/eval/testing VirtualHosts?), then a wildcarded SSL cert might be for you.

Generating one is very simple process. You will need to have the OpenSSL libraries installed on your computer. All but the worst of Operating systems is likely to have this already installed. If not, you can always go here and get a package: [OpenSSL.org]

Enough reasoning and rationalization, time to get down to business.

Overview

First you must have a private key generated and installed. Second that key is then used to generate a simultaneous signing request and cert signing operation.

Once you have your files created, reference them in the Webserver of your choice (such as nginX or Apach2, if you are using IIS… my heart aches for your plight), using the documentation for that webserver. I’m not going to go into there here, because I’m just taking the time to share this simple process fore generating the CERT.

Step 1 – Generate your private key

If you do not have a private key generated, I’m going to show you have to do it. If you have one that you want to use already, and you know where it is, move onto the next step.

Open a termnal window and execute the following openssl command to generate a private key. For my own installations I never use a key shorter than 2048. Most of the time, I use one that is quite a bit longer. That said, 2048 should provide a sufficiently long key for any practical SSL purposes. Yes, SSL has security issues and a motivated hacker can likely piggy-back it, regardless of your key size… but for the sake of argument and getting through this post, we’ll pretend the Interwebs are a safe place.

Move to the location where you will store your private key (this is a typical location, you can use whatever you want):
cd /etc/ssl/private

Run the command to generate the key:
openssl genrsa 2048 > my.super-awesome.hostname.key

Generating RSA private key, 2048 bit long modulus ......................................+++ .........+++ e is 65537 (0x10001)

So, now we have a key:
ls -l -rw-r--r-- 1 root wheel 1679 Jan 9 09:41 my.super-awesome.hostname.key

Step 2 – Generate your CERT

This is the fun part, and the 2nd of the super easy steps. To complete this you’ll want to know up front, some important pieces of data, such as the hostname for your site (I’m going to use super-awesome.net for this example). You want to have the address you want to use handy, including the country. Also want to have an e-mail address that will be published in the SSL cert to contact you, and a department and company name if so inclined. Below the actual command and responses will be in bold:

openssl req -new -x509 -nodes -sha1 -days 3650 -key my.super-awesome.hostname.key > my.super-awesome.hostname.cert
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Kellyfornia Locality Name (eg, city) []: Sac-of-Tomatoes Organization Name (eg, company) [Internet Widgits Pty Ltd]: Crazy Assembly House Organizational Unit Name (eg, section) []: Committee on wasting tax payer money Common Name (eg, YOUR name) []: *.super-awesome.net Email Address []: admin@super-awesome.net

Verify that you have the file:
ls -l -rw-r--r-- 1 root wheel 1927 Jan 9 09:50 my.super-awesome.hostname.cert

That’s all there is to it! You’re done. Now you have a Self-Signed SSL wildcard sert for super-awesome.net. This would allow you to secure (and I always use the word secure with a certain degree of sarcasm) any sub-domain / hostname under super-awesome.net. Examples of what it would handle:

https://www.super-awesome.net https://qa-server.super-awesome.net https://some-client.super-awesome.net https://another-client.super-awesome.net https://ya-client.super-awesome.net

Now, it’s important to note that this DOES NOT secure anything beyond that first level.. here are a couple more examples:

https://www.super-awesome.net -- OK https://qa-server.super-awesome.net -- OK https://some.client.super-awesome.net -- FAILS https://another-client.super-awesome.net -- OK https://test.ya-client.super-awesome.net -- FAILS

Extra Credit – viewing the contents of your CERT

It’s all well and good to generate the cert, but what if you want to verify it’s properly setup? What if you find a cert on your system and you want to know what it covers, when it expires, whom might own it, etc. Well, that’s possible too. Running a simple command we’ll examine the SSL Cert just created. The important info is in the ‘Issuer’ and ‘Subject’ blocks.

openssl x509 -noout -text -in my.super-awesome.hostname.cert Certificate: Data: Version: 3 (0x2) Serial Number: c4:3d:66:b4:e3:cc:61:86 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Kellyfornia, L=Sac-of-Tomatoes, O=Crazy Assembly House, OU=Committe on wasting tax payer money, CN=*.super-awesome.net/emailAddress=admin@super-awesome.net Validity Not Before: Jan 9 17:50:56 2012 GMT Not After : Jan 6 17:50:56 2022 GMT Subject: C=US, ST=Kellyfornia, L=Sac-of-Tomatoes, O=Crazy Assembly House, OU=Committe on wasting tax payer money, CN=*.super-awesome.net/emailAddress=admin@super-awesome.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] /* removed the modulus to keep the post short */ Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9D:72:0C:A0:E6:EB:77:2C:77:EF:E8:9E:B7:BC:9F:53:81:1A:40:9D X509v3 Authority Key Identifier: keyid:9D:72:0C:A0:E6:EB:77:2C:77:EF:E8:9E:B7:BC:9F:53:81:1A:40:9D DirName:/C=US/ST=Kellyfornia/L=Sac-of-Tomatoes/O=Crazy Assembly House/OU=Committe on wasting tax payer money/CN=*.super-awesome.net/emailAddress=admin@super-awesome.net serial:C4:3D:66:B4:E3:CC:61:86 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption [...] /* removed the signature to keep the post short */ Looking at the Subject breaks downs as follows:
Subject: C=US, ST=Kellyfornia, L=Sac-of-Tomatoes, O=Crazy Assembly House, OU=Committe on wasting tax payer money, CN=*.super-awesome.net/emailAddress=admin@super-awesome.net C=US - Country code 'US' ST=Kellyfornia - State or Provence. Sac-of-Tomatoes - City/Location O=Crazy Assembly House - Company or Organization name OU=Committe on wasting tax payer money Organizational Unit (department, etc.) CN=*.super-awesome.net - Canonical Name (hostname / domain) that the CERT services. In this case it's a wildcard, signfied by the '*'

That's all there is to it. Now, secure those website communications!

David DeMartini actual

Tag Archives: web server

Stratux Webserver – what’s behind the scenes?