Blog

Recent Posts with Uncategorized tag

Installing and Configuring Postfix on AWS Amazon Linux AMI

Postfix is a Mail-Transfer-Agent (MTA). MTAs are programs which send and receive email. Postfix is free, open-source and quite popular because of it's ease in setup. (one day I might figure out Sendmail, the other major open source Linux MTA, but not today.) Below I will cover downloading, installing and configuring Postfix using userdb on a server which utilizes virtual hosts. This is a nice clean setup if you host email addresses from multiple domains on a single server. Also, please note, this setup uses userdb as the database server to deal with users, pwds, etc. Many servers use mySQL instead of userdb. If you don't intend on having too many different addresses( a few hundred), userdb is easier and lighter weight alternative to mySQL.

Requirements:

Desktop Clients:

  • PuTTY (setup help)
  • WinSCP (setup help)

Linux Packages:

  • Postfix
These will be downloaded and installed during the installation process.

Installation of Postfix

  1. Login to your AWS Instance as the root user (type: "sudo su") using SSH and SCP protocols (PuTTY for SSH and WinSCP for SCP).
  2. Install Postfix using YUM (comes preloaded on the AMI)
    yum install postfix
  3. Remove Sendmail
    yum remove sendmail

Configuration of Postfix

I'm expecting you to use WinSCP when ever you are opening a file.
  1. Open the file "/etc/postfix/main.cf". This is the primary configuration file for Postfix. The configuration files use C style commenting (# at the beginning of a line to comment out the entire line.)
  2. Change the following settings
    Variable Value Variable
  3. yum install postfix

Troubleshooting

Installing and Configuring Courier on AWS Amazon Linux AMI with Postfix

Installing and Configuring Apache2 on AWS Amazon Linux AMI

Installing and Configuring openDKIM on AWS Amazon Linux AMI with Postfix

Installing and Configuring openDKIM on AWS Amazon Linux AMI with Postfix      

Installing and Configuring Bind9 on AWS Amazon Linux AMI

Installing and Configuring Bind9 on AWS Amazon Linux AMI

Installing and Configuring Spamassassin on AWS Amazon Linux AMI running Postfix

Installing and Configuring Spamassassin on AWS Amazon Linux AMI running Postfix

Adding PHP Extensions / Modules (PECL and PEAR)

There a couple of different methods for adding an extension to php. http://forums.cerberusweb.com/showthread.php?t=25

Connecting to AWS Instance via SSH on a Blackberry

Anyone who has ever managed servers understands that problems only occur when you are not at your computer. Having SSH access to your server on your smartphone can allow you to solve / patch problems to get boss or client off your back long enough to get to a computer and correctly fix the issue. These instructions will go through how to install and setup the free BlackBerry SSH client called MidpSSH.

Installing MidpSSH on your BlackBerry

These instructions assume you have already setup an AWS instance and have setup a SSH Client for the instance. If you haven't setup an AWS Instance, you can find help at "" If have not yet setup an SSH Client (like PuTTY) for the instance, please follow the instructions at .
  1. Open your AWS Console (go to and login)
  2. Go to "EC2" under "Compute and Networking"
  3. Click on "Instances" under the "Instances" section of the Navigation pane. This will display all of the instances you currently have running. Clicking on
  4. http://www.midpssh.org/wiki/public-key

Configuration for AWS Instance access

These instructions assume you have already setup an AWS instance. If you haven't setup an AWS Instance, you can find help at ""
  1. Open your AWS Console (go to and login)
  2. Go to "EC2" under "Compute and Networking"
  3. Click on "Instances" under the "Instances" section of the Navigation pane. This will display all of the instances you currently have running. Clicking on the name of the instance will show the details of that instance below. Select the instance you want to configure PuTTY for then find the "Key Pair Name" and "Security Groups" values under the "Description" tab. You will need to edit the security group in order to allow PuTTY to access your instance then confirm the security key with the key pair name.
  4. Find the value for "Public DNS" under the "Description" tab then highlight it (shift+ left click while selecting the text) and press CTRL+C to copy the text. You will need this value when setting up PuTTY and I find copy & pasting a whole lot easier than retyping something.
  5. Click on "Security Groups" under the "Networking & Security" section of the Navigation pane. This will show your security groups for this region. Click on the instance's security group to see the details of that group.
  6. Click on the "Inbound" tab to edit the firewall associated with this security group.
  7. SSH clients use port 22 for access, so you will need to verify that TCP port 22 (SSH) is listed on the table to the right. If it is not listed, or there is no table, select "SSH" under for "Create a new rule" then add your computer's ip address to the source line followed by "/32". AWS security groups use CIDR notation for IP address ranges. Simply, "/32" limits the range to a single IP address. Click "Add Rule" then click "Apply Rule Changes"
  8. Click on "Key Pairs" under the "Networking & Security" section of the Navigation pane. The "Fingerprint" for the "Key Pair Name" will be needed later to confirm your connection to the AWS Instance. "root" user, type:
    $ sudo su
* BlackBerry is a registered trademark of Research In Motion

Installing mod_ftp for Apache on AWS Linux

FTP is the standard File Transfer Protocol. By default, the Amazon Linux installation has ftp capabilities for each Linux user and setting it up should be one of the first things you do. () Allowing a Linux user ftp access to the entire server can be problematic through. All Linux users can see and read global read-only files. So if you are hosting multiple websites on the same server, anyone with file access to one of the sites, will generally have access to the other sites, as well as the more general server files. This can create security issues, especially if you are hosting the sites for multiple third-parties or intend on using third-party web developers. There are two general solutions to this problem: chroot jail the Linux users or mod_ftp. Mod_ftp is more practical in this situation because it is easier to setup for multiple websites and a little more challenging to screw-up and create security holes. Any FTP system you use on an AWS instance will require you to edit your instance's security group to allow for access to port 21, 990 and/or 1024-1048.

Installing Apache's mod_ftp

These instructions assume you have already setup an and have an SSH client (like ) available.
  1. Log in to your instance via the SSH client. Transfer to the root user.
  2. Install the Apache eXtenSion tool (APXS - via the httpd-devel yum package)
  3. Use SVN to get the latest release of mod_ftp files
  4. Move to the mod_ftp directory
  5. Run the mod_ftp configuration script (configure.apxs)
  6. Build the module using "make"
  7. Install the module using "make install"
  8. DO NOT RESTART Apache until you have configured mod_ftp. The default settings are not as constrained as you may wish and restarting httpd could temporarily open your the web directory to the public
Summary of command line inputs
  • $ sudo su
  • $ yum install httpd-devel
  • .....
  • Do you want to install httpd (Y/N): Y
  • $ svn checkout http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/ mod_ftp
  • $ cd mod_ftp
  • $ ./configure.apxs
  • $ make
  • $ make install

Configuring mod_ftp

Configuring mod_ftp is easiest done with a visual text editor, like included in WinSCP rather than through the command line and vi. You will need to restart the httpd daemon after changing the configuration files in order for the settings to take effect.
Examples settings
Apache system user webserv
System group webcln
Domain 1 example.com
Domain 1 subdomain sub.example.com
Password file name passwords
All of the Apache configuration files use the standard C-type commenting, so any line starting with a "#" is commented out and not used in configuring apache2 or any of the modules.

Single Domain Configuration

If you are using a single domain (ie not using virtual hosts) you can make the modifications directly in the ftpd.conf file.
  1. Open the file "/etc/httpd/conf/extra/ftpd.conf".
  2. Make sure "Listen 21 ftp" and "AcceptFilter ftp none" is uncommented. "Listen 21" should be commented out. The "AcceptFilter" directive should only be used on Apache 2.2 and higher versions.
  3. Change "_default_" in "<VirtualHost _default_:21>" to the actual server name. Make sure this line is uncommented as well as the "</VirtualHost>" line near the end of the file
  4. Above the "<VirtualHost" line, add "NameVirtualHost example.com:21" where example.com is the actual server name.
  5. Make sure "FTP On" is uncommented.
  6. Uncomment and set "ServerAdmin" to the server admin's email address.
  7. Uncomment and set "DocumentRoot" to the directory you want to use to store the FTP files. This directory should be the same as is used in the next step.
  8. Uncomment the line '<Directory "/var/www/ftpdocs">' and change the directory to the FTP directory you want to use. You can leave it as "/var/www/ftpdocs" if that is the directory you intend on using for all the FTP file.
  9. Uncomment all of the lines fromĀ  "<Directory .." to the next "</Directory>" (4 lines) then change the location of the AuthUserFile to the actual location of the file you intend on using to store user authentication information (the usernames and passwords)
  10. Change "AuthType Basic" to "AuthType Digest"
  11. Close and save the file.
  12. Log in via SSH and restart httpd to have the new settings take effect.

Virtual Domains Configuration

  1. Open the file "/etc/httpd/conf.d/vhosts.conf" or your particular virtual host configuration file.
  2. Copy one of the examples configurations below into the file and exchange the example values for your server's values. You should leave a copy of the 'default' server at the top of the vhosts file.
    Meaning of each parameter
    • NameVirtualHost - Indicated that the particular IP:PORT combination is a virtual host. Need this to instigate the VirtualHost tags later. The value should be structured as IP:PORT. The wildcard "*" can be used to identify any IP address. Port 21 is used for ftp connections while port 990 is used for ftps (secure) connections.
    • Listen - Forces Apache to listen to requests st the destinated port. For a FTP server, there are 2 key ports you would listen on: 21 for FTP requests and 990 for FTPS requests.
    • AcceptFilter - Checks to see if a module is installed and usable. Anything within the tags will be
    • IfModule - Checks to see if a module is installed and usable. Anything within the tags will be processed only if the module indicated in the open tag is installed and usable.
    • VirtualHost - This tag identifies a particular virtual host. The contents of the tag must contain the parameters ServerName, and DocumentRoot in order to work. The IP:PORT combination listed in the opening tag must be initiated using the NameVirtualHost parameter.
    • ServerName - The name of the webserver, which is normally the web address, in quotes. Apache will be asked for the ServerName by the user's browser. Note: I use the value "default:80" as a catchall for incorrect inquiries to the server. If a user queries your server, on port 80, for ServerName which doesn't exist, the first VirtualHost will be returned as a default. A DNS error can create this situation, but a user can intentionally create this situation. This is possible by directly accessing the server IP address then spoofing the HTTP header with a different web address. You can actually test your own settings this way.
    • ServerAdmin - This is the email address of the admin for the particular server, in quotes. This is not essential, but should be included to control the distribution of spam.
    • DocumentRoot - This is the directory apache will look for the appropriate web files.
    • ErrorLog - This is the error log file to be used for errors occuring with this virtual host.
    • SSLEngine - This runs the Apache mod_ssl engine which allows for secure connection and encryption of the information set to the user. You have to use this if you want to use the https protocol.
    • SSLVerifyClient - This forces the client to provide the certificate confirmation before receiving any information. This is impractical for most situations, except when using a company intranet. The client must already have the correct certificate in order to authenticate with the server. Please note that WinSCP GUI is currently (version 5.1) not smart enough to deal with a server which requires SSL but refuses to provide the client with the initial certificate. I hope to find a client which has such capabilities.
    • SSLCertificateFile - The location of the ssl certificate file.
    • SSLCertificateKeyFile - The location of the ssl certificate key file.
    • FTP - This directive turns on/off the FTP server. By default it is off, but you could use it to force particular servers to work under the http protocols.
    • FTPImplicitSSL - Indicates the user must connect using SSL. This should only really be set to on if you are using port 990, since most clients will not initialize the SSL handshake correctly on port 21 when prompted immediately upon connecting to the port.
    • FTPOptions - These are the odd options which by including them here set them as TRUE.
    • FTPPASVrange - The range of ports to use for passive FTP connections.
    • FTPBannerMessage - A simple message to indicate the user correctly logged into the FTP server.
    • AuthType - The type of authentication used. "Basic" is the simple username:password type.
    • AuthName - The name of the authentication request. You can put anything you want here and it will be dumped to the user prompt when they are expected to provide their username and password.
    • AuthUserFile - The file where the users and passwords are stored. The user:passwords should be created using htpasswd and are specific to the Apache server. These users should have nothing to do with the Linux users.
    • Require - Tells the server how to deal with the authentication results.
  3. Create the directories for each virtual account. The example uses the home directory of "/var/www/vhosts" for all of the virtual hosts. Within this directory there is a directory for each domain and within each of those is a directory for the http files (httpdocs), the https files (httpsdocs) and the server files (var). You also need to create a blank "index.html" file in the http and https directories and an error log in the logs directory.
    • /var/www/vhosts/example.com/httpdocs/
    • /var/www/vhosts/example.com/httpsdocs/
    • /var/www/vhosts/example.com/var/logs/
    • /var/www/vhosts/example.com/var/certificates/
  4. Log in to your instance via the SSH client (PuTTY). Transfer to the root user ("sudo su").
  5. Verify the installation occurred correctly by starting the httpd service ("service httpd start").
  6. Log in to your domain hosting account and change the DNS records to point to the correct IP address.
Example vhost.conf FTP server configuration - unsecure
  • <IfModule mode_ftp.c>
    • Listen 21
    • NameVirtualHost *:21
    • <VirtualHost *:21>
      • ServerName "example.com:21"
      • ServerAdmin "webmaster@example.com"
      • FTP On
      • DocumentRoot "/var/www/ftphosts/example.com/"
      • ErrorLog "/var/www/ftphosts/logs/example.com_error_log"
      • <Directory "/var/www/ftphosts/example.com/">
        • AuthType Basic
        • AuthName "Example.com FTP Server"
        • AuthUserFile "/var/www/ftphosts/access/example.com.pwds"
        • Require valid-user
      • </Directory>
    • </VirtualHost>
  • </IfModule>
Example vhost.conf FTPS server configuration - secure with passive mode
Using the passive mode for accessing the ftp server is preferable from a bandwidth, connections and resources perspective, however it requires multiple ports for communication. In this example I use ports 1024 to 1048. These ports will need be opened in the AWS security group to get the server working correctly.
  • <IfModule mode_ftp.c>
    • <IfModule mode_ssl.c>
      • Listen 990 ftps
      • AceeptFilter ftps none
      • NameVirtualHost *:990
      • <VirtualHost *:990>
        • ServerName "example.com:990"
        • ServerAdmin "webmaster@example.com"
        • FTP On
        • FTPImplicitSSL On
        • FTPPASVrange 1024 1048
        • SSLEngine On
        • SSLVerifyClient none
        • SSLCertificateFile "/var/www/certificates/example.com.crt"
        • SSLCertificateKeyFile "/var/www/certificates/example.com.key"
        • DocumentRoot "/var/www/ftphosts/example.com/"
        • ErrorLog "/var/www/ftphosts/logs/example.com_error_log"
        • <Directory "/var/www/ftphosts/example.com/">
          • AuthType Basic
          • AuthName "Example.com FTP Server"
          • AuthUserFile "/var/www/ftphosts/access/example.com.pwds"
          • Require valid-user
        • </Directory>
      • </VirtualHost>
    • </IfModule>
  • </IfModule>

Special Notes and Troubleshooting

  1. If you run PHP via mod_php, you will need to turn off the PHP engine for the ftp host if you want the user to be able to view the php code.
  2. Verify the necessary ports are open in the AWS security group.

Authentication within Apache

Apache2 can be setup to use a system independent authentication method. Simply, this allows a web user to authenticate themselves with Apache and be completely independent of the Linux users. The web user therefore can log-in and access non-public sections of your web-server. From a security standpoint, it is generally a good thing to separate the web users and Linux users. There are still some security considerations, because an Apache authenticated user could theoretically access anything on the server accessible by the user profile which Apache is using. Note, this type of authentication is different than SSL authentication. SSL authentication is for encrypting data verse Apache authentication which limits access to parts of the server. Also, Apache authentication should be only used when you want to control parts of a server, like limiting a develop subdomain to only the developers, and not to limit small segments of information to different user groups. Typically the latter problem is used through a script based log-in system, like PHP and sessions.

Authentication Modules

  • Authentication Types
    • mod_auth_basic (*included w/ Apache2 install)
    • mod_auth_digest (*included w/ Apache2 install)
  • Authentication Providers:
    • mod_authn_alias (*included w/ Apache2 install)
    • mod_authn_anon (*included w/ Apache2 install)
    • mod_authn_dbd (*included w/ Apache2 install)
    • mod_authn_dbm (*included w/ Apache2 install)
    • mod_authn_file (*included w/ Apache2 install)
    • mod_authn_default (*included w/ Apache2 install)
    • mod_authn_ldap
    • mod_authn_socache
  • Authorization
    • mod_authz_ldap (*included w/ Apache2 install)
    • mod_authz_dbd
    • mod_authz_default (*included w/ Apache2 install)
    • mod_authz_dbm (*included w/ Apache2 install)
    • mod_auth_groupfile (*included w/ Apache2 install)
    • mod_authz_host (*included w/ Apache2 install)
    • mod_authz_owner (*included w/ Apache2 install)
    • mod_authz_user (*included w/ Apache2 install)
* These are the modules included with the basic installation of Apache2 from the AWS repository.

Authentication Directives

AuthType

  • Basic (mod_auth_basic)Basic authentication is where the web browser collects then sends the raw username and password to the server. HTTPS protocols are applied first, which will encrypt the transmitted data at least. mod_auth_basic Specific Directives:
    • AuthBasicProvider (default: file) What is used to store the usernames and passwords. By default a file with lines of username:password is used, but changing this to "dbm" allows you to use a database file instead.
  • Digest (mod_auth_digest)Digest authentication uses MD5 hashing to first encrypt the collected password before send it and the username to the web server. This is considerably more secure than Basic authentication, but realistically can still be cracked. mod_auth_digest Specific Directives:
    • AuthDigestProvider (default: file) What is used to store the usernames and passwords. By default a file with lines of username:password is used, but changing this to "dbm" allows you to use a database file instead.

AuthName

Sets the authentication "realm" for the server. Generally this is just a prompt to help the user understand which username & password combination they need to enter. It also specifies a group of similarly authenticated areas (ie. realms). When a user logs into a realm called "Restricted", then goes to another area on the server with a realm name "Restricted", the user's browser will automatically try to log the user in with the username and password accepted in the first "Restricted" realm. So make sure you use names that are unique enough for the access control you want. I typically include the domain name in the AuthName string, so there is no cross-domain access issues.

AuthUserFile

The file which contains the username and password pairs.

Require

How to deal with the authorization process. The simplest route is "valid-user".

Authentication Examples

The following are the set of directives you would place in either the Apache conf files (for the appropriate host/ virtual host) or in an .htaccess file.

Creating a Simple Hash File

  • $ htpasswd -cbm USERNAME PASSWORD

Simple File-Based Log-in

  • AuthType Basic
  • AuthName "Some login"
  • AuthUserFile "/path/to/file/filename"
  • Require valid-user

Encrypted File-Based Log-in

  • AuthType Digest
  • AuthName "Some login"
  • AuthUserFile "/path/to/file/filename"
  • Require valid-user

Why are web development companies so inflexible?

  1. Engineer Mindset
  2. Lack of experience
  3. Lack of curiosity
  4. Lack of business acumen

Choosing a CMS for your website

  • What is the purpose of the website?
  • Do you need users to log-in to the site?
  • What technical skill level do you have?
  • How much do you want to customize the look and feel of the software?
  • What "other" features do you want available to your company's employees through your website?

Compressing all HTML pages with Apache2 on AWS

2013-01-29 04:28:08

The Apache2 web server has two mods which can be used to compress data sent to the client (ie browser); mod_deflate and mod_gzip. The gzip mod is more versatile but more challenging to setup. For simple compression of HTML, CSS and JavaScript files, the deflate mod works just file. Compression is particularly important on Amazon Web Services (AWS) because:

  • HTML is very redundant and bulky
  • Smaller files are sent to the client faster
  • AWS charges you based upon OUTPUT bandwidth; smaller files = less bandwidth usage per file

Simple activation of mod_deflate

These instructions assume you have already setup an AWS instance and have an SSH client (like PuTTY) available and a SCP client (like WinSCP) to use when editing the configuration files.

  1. Log in to your instance via the SCP client then open the apache2 virtual hosts configuration file ("/etc/httpd/conf.d/vhosts.conf" for the default setup mentioned in other instructions here).
  2. Add the "AddOutputFilterByType DEFLATE text/html text/plain text/xml" Filter to each virtual host (virtual hosts are the groupings starting with "<VirtualHost "). You should inclose the filter in a conditional module statement ("") to make sure your web server keeps running even if you happen to remove the deflate module.
  3. Save the virtual hosts configuration file.
  4. Open the SSH client and transfer to the root user ("sudo su")
  5. Restart the apache2 service ("service httpd restart").

The changes to the virtual hosts configuration file

  • <VirtualHost *:80>
  • ....
  • <IfModule mop_deflate.c>
  • AddOutputFilterByType DEFLATE text/html text/plain text/xml
  • </IFModule>
  • ...
  • </VirtualHost>

Summary of command line inputs

  • $ sudo su
  • $ service httpd restart

Setting up Apache2 with SSL data transfer using OpenSSL

Apache2 can be setup to support Secure-Socket Layer (SSL) protocols to provide security when transfering data between the client (ie browser) and the apache2 server. SSL is the sta can be setup to use a system independent authentication method. Simply, this allows a web user to authenticate themselves with Apache and be completely independent of the Linux users. The web user therefore can log-in and access non-public sections of your web-server. From a security standpoint, it is generally a good thing to separate the web users and Linux users. There are still some security considerations, because an Apache authenticated user could theoretically access anything on the server accessible by the user profile which Apache is using. Note, this type of authentication is different than SSL authentication. SSL authentication is for encrypting data verse Apache authentication which limits access to parts of the server. Also, Apache authentication should be only used when you want to control parts of a server, like limiting a develop subdomain to only the developers, and not to limit small segments of information to different user groups. Typically the latter problem is used through a script based log-in system, like PHP and sessions.

Authentication Modules

  • Authentication Types
    • mod_auth_basic (*included w/ Apache2 install)
    • mod_auth_digest (*included w/ Apache2 install)
  • Authentication Providers:
    • mod_authn_alias (*included w/ Apache2 install)
    • mod_authn_anon (*included w/ Apache2 install)
    • mod_authn_dbd (*included w/ Apache2 install)
    • mod_authn_dbm (*included w/ Apache2 install)
    • mod_authn_file (*included w/ Apache2 install)
    • mod_authn_default (*included w/ Apache2 install)
    • mod_authn_ldap
    • mod_authn_socache
  • Authorization
    • mod_authz_ldap (*included w/ Apache2 install)
    • mod_authz_dbd
    • mod_authz_default (*included w/ Apache2 install)
    • mod_authz_dbm (*included w/ Apache2 install)
    • mod_auth_groupfile (*included w/ Apache2 install)
    • mod_authz_host (*included w/ Apache2 install)
    • mod_authz_owner (*included w/ Apache2 install)
    • mod_authz_user (*included w/ Apache2 install)
* These are the modules included with the basic installation of Apache2 from the AWS repository.

Authentication Directives

AuthType

  • Basic (mod_auth_basic)Basic authentication is where the web browser collects then sends the raw username and password to the server. HTTPS protocols are applied first, which will encrypt the transmitted data at least. mod_auth_basic Specific Directives:
    • AuthBasicProvider (default: file) What is used to store the usernames and passwords. By default a file with lines of username:password is used, but changing this to "dbm" allows you to use a database file instead.
  • Digest (mod_auth_digest)Digest authentication uses MD5 hashing to first encrypt the collected password before send it and the username to the web server. This is considerably more secure than Basic authentication, but realistically can still be cracked. mod_auth_digest Specific Directives:
    • AuthDigestProvider (default: file) What is used to store the usernames and passwords. By default a file with lines of username:password is used, but changing this to "dbm" allows you to use a database file instead.

AuthName

Sets the authentication "realm" for the server. Generally this is just a prompt to help the user understand which username & password combination they need to enter. It also specifies a group of similarly authenticated areas (ie. realms). When a user logs into a realm called "Restricted", then goes to another area on the server with a realm name "Restricted", the user's browser will automatically try to log the user in with the username and password accepted in the first "Restricted" realm. So make sure you use names that are unique enough for the access control you want. I typically include the domain name in the AuthName string, so there is no cross-domain access issues.

AuthUserFile

The file which contains the username and password pairs.

Require

How to deal with the authorization process. The simplest route is "valid-user".

Authentication Examples

The following are the set of directives you would place in either the Apache conf files (for the appropriate host/ virtual host) or in an .htaccess file.

Creating a Simple Hash File

  • $ htpasswd -cbm USERNAME PASSWORD

Simple File-Based Log-in

  • AuthType Basic
  • AuthName "Some login"
  • AuthUserFile "/path/to/file/filename"
  • Require valid-user

Encrypted File-Based Log-in

  • AuthType Digest
  • AuthName "Some login"
  • AuthUserFile "/path/to/file/filename"
  • Require valid-user

Adding a new secure SSH Linux User on Amazon Web Services

A fedora version of Linux is the default operating system on Amazon Web Services (AWS). Previously I went through how to set up your first EC2 instance, which utilized an unique public key to log in to your instance via SSH. There is going to come a time when you will want to allow access to an instance by multiple users, or multiple devices for that matter). Creating additional users, and an associated public keys for each user, is a reasonably secure method to allow limited access via SSH. Note: the instructions here have no bearing on the Linux user permissions. Unless you explicitly set the permissions for the particular user or user group, you should assume each SSH user will have root access to the instance and could intentionally or accidentally cause real problems to your server. You should set the Linux security permissions appropriately.

Installing Apache2

These instructions assume you have already setup an and have an SSH client (like ) available.
  1. Log in to your instance via the SSH client. Transfer to the root user.
  2. Use YUM to install httpd (the apache2 web server application)
  3. Press "Y" when it asks if you want to install Apache
  4. Verify the installation occurred correctly by starting the httpd service
Summary of command line inputs
  • $ sudo su
  • $ yum install httpd
  • .....
  • Do you want to install httpd (Y/N): Y
  • $ service httpd start

Configuring Apache2

Configuring Apache2 is easiest done with a visual text editor, like included in WinSCP rather than through the command line and vi. You will need to restart the httpd daemon after changing the configuration files in order for the settings to take effect.
Examples settings
Apache system user webserv
System group webcln
Domain 1 example.com
Domain 1 subdomain sub.example.com

Basic Configuration

These settings will need to be changed whether you use a single domain or virtual domains.
  1. Open the file "/etc/httpd/conf/httpd.conf". Httpd uses the standard C-type commenting, so any line starting with a "#" is commented out and not used in configuring apache2
  2. Make sure "Listen 80" is uncommented.
  3. Change "User" to the desired linux user that you want apache to run as. The example user is "webserv"
  4. Change "Group" to the desired linux user that you want apache to run as. The example group is "webcln"
  5. Set the "ServerAdmin" to the server admin's email address.
  6. Add any other index files to "DirectoryIndex" list. Apache will search for the files in order they are listed. Separate multiple file names with spaces.
  7. Finish the configuration via the Single Domain Configuration OR the Virtual Domains Configuration. I recommend using the Virtual Domains Configuration model, because it easily allows for adding subdomains or redirecting other domains.

Single Domain Configuration

  1. Open the file "/etc/httpd/conf/httpd.conf" A single domain is setup fully within the core configuration file.
  2. Uncomment and make the appropriate changes to the following directives.
  3. Log in to your instance via the SSH client. Transfer to the root user ("sudo su").
  4. Verify the installation occurred correctly by starting the httpd service.
  5. Log in to your domain hosting account and change the DNS records to point to the correct IP address.
  • ServerAdmin webmaster@example.com
  • ServerName www.example.com:80
  • ServerAlias www.example.com
  • UseCononicalName off
  • DocumentRoot "/var/www/html"
  • ErrorLog /var/logs/error_log

Virtual Domains Configuration

  1. Open the directory "/etc/httpd/conf.d/" and create a new file called "vhosts.conf"
  2. Copy the below configurations and exchange the example values for your server's values. You should leave a copy of the 'default' server at the top of the vhosts file. The first listing of either port (80 for http and 443 for https) will be used when a request does not match any other server name or server alias.
    Meaning of each parameter
    • NameVirtualHost - Indicated that the particular IP:PORT combination is a virtual host. Need this to instigate the VirtualHost tags later. The value should be structured as IP:PORT. The wildcard "*" can be used to identify any IP address. Port 80 is used for http connections while port 443 is used for https (secure) connections.
    • IfModule - Checks to see if a module is installed and usable. Anything within the tags will be processed only if the module indicated in the open tag is installed and usable.
    • VirtualHost - This tag identifies a particular virtual host. The contents of the tag must contain the parameters ServerName, and DocumentRoot in order to work. The IP:PORT combination listed in the opening tag must be initiated using the NameVirtualHost parameter.
    • ServerName - The name of the webserver, which is normally the web address, in quotes. Apache will be asked for the ServerName by the user's browser. Note: I use the value "default:80" as a catchall for incorrect inquiries to the server. If a user queries your server, on port 80, for ServerName which doesn't exist, the first VirtualHost will be returned as a default. A DNS error can create this situation, but a user can intentionally create this situation. This is possible by directly accessing the server IP address then spoofing the HTTP header with a different web address. You can actually test your own settings this way.
    • UseCononicalName - This is a name allocation directive for self-referential URLs. Setting it to 'on' forces Apache to use the hostname and port specified by ServerName where setting it to "off" allows it to first try the hostname and port supplied by the user then use the server values. Setting it to "off" can be a slight security issue, but will generally allow for faster processing of complex situations, especially those involving intranets.
    • ServerAdmin - This is the email address of the admin for the particular server, in quotes. This is not essential, but should be included to control the distribution of spam.
    • DocumentRoot - This is the directory apache will look for the appropriate web files.
    • ErrorLog - This is the error log file to be used for errors occuring with this virtual host.
    • SSLEngine - This runs the Apache mod_ssl engine which allows for secure connection and encryption of the information set to the user. You have to use this if you want to use the https protocol.
    • SSLVerifyClient - This forces the client to provide the certificate confirmation before receiving any information. This is impractical for most situations, except when using a company intranet. The client must already have the correct certificate in order to authenticate with the server.
    • SSLCertificateFile - The location of the ssl certificate file.
    • SSLCertificateKeyFile - The location of the ssl certificate key file..
  3. Create the directories for each virtual account. The example uses the home directory of "/var/www/vhosts" for all of the virtual hosts. Within this directory there is a directory for each domain and within each of those is a directory for the http files (httpdocs), the https files (httpsdocs) and the server files (var). You also need to create a blank "index.html" file in the http and https directories and an error log in the logs directory.
    • /var/www/vhosts/example.com/httpdocs/
    • /var/www/vhosts/example.com/httpsdocs/
    • /var/www/vhosts/example.com/var/logs/
    • /var/www/vhosts/example.com/var/certificates/
  4. Log in to your instance via the SSH client (PuTTY). Transfer to the root user ("sudo su").
  5. Verify the installation occurred correctly by starting the httpd service ("service httpd start").
  6. Log in to your domain hosting account and change the DNS records to point to the correct IP address.
Example vhost.conf file
  • NameVirtualHost *:80
  • <IfModule mode_ssl.c>
    • NameVirtualHost *:443
  • </IfModule mode_ssl.c>
  • <VirtualHost *:80
    • ServerName "default:80"
    • UseCononicalName off
    • ServerAdmin "webmaster@example.com"
    • DocumentRoot "/var/www/vhosts/default/httpdocs"
    • ErrorLog "/var/www/vhosts/default/var/logs/error_log"
    • <IfModule mode_ssl.c>
      • SSLEngine off
    • </IfModule mode_ssl.c>
  • </VirtualHost>
  • <IfModule mode_ssl.c>
    • <VirtualHost *:443
      • ServerName "default:443"
      • UseCononicalName off
      • ServerAdmin "webmaster@example.com"
      • DocumentRoot "/var/www/vhosts/default/httpsdocs"
      • ErrorLog "/var/www/vhosts/default/var/logs/error_log"
      • SSLEngine on
      • SSLVerifyClient none
      • SSLCertificateFile/var/www/vhosts/default/var/certificates/default.crt
      • SSLCertificateKeyFile /var/www/vhosts/default/var/certificates/default.key
    • </VirtualHost>
  • </IfModule mode_ssl.c>

Lack of Content

2013-06-13 05:54:04

I must apologize for the lack of content recently. We have recently been revamping our software into a platform-as-a-service model. Later this summer we will be moving all this content to our website (). In the mean time new we have brought on board a couple interns to help edit and organize the backlog of content and get it posted. Over the last two years we have been developing a custom Content Management System for small businesses, particular service firms who work on a project basis. About a month before the proposed launch, the business model was changed to operate more like a platform-as-a-service than just a software offering. For the last two months we have been working on automating the application and platform management so web design companies can easily signup and use our platform with their clients.