PHP Magazine

Note: this is really a how-to, w/o any in-depth explanation, just a note to myself.

Today, I needed to add SSL support to UMapper.com application running on my Slackware localhost. We use CA-signed certificates on our server, but for local box self-signed was quite enough (all I need is to be able to view development version of site via https). Here what I did:

1. Create private key:

$ openssl genrsa -out localhost.key 1024

2. Generate CSR (Certificate Signing Request):

$ openssl req -new -key localhost.key -out localhost.csr

3. Generate certificate:

$ openssl x509 -req -days 365 -in localhost.csr \
        -signkey localhost.key -out localhost.crt

4. Make sure SSL is enabled in httpd.conf:

# Following two should be uncommented
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
Include /etc/httpd/extra/httpd-ssl.conf

5. Edit httpd-ssl.conf so that virtual host users your created certificate:

# locate and edit cert.details. Make sure localhost.crt and localhost.key
# are present (you either created them there or copied)
SSLCertificateFile "/etc/httpd/certs/localhost.crt"
SSLCertificateKeyFile "/etc/httpd/certs/localhost.key"

6. Restart apache:

$ apachectl restart

That’s it. Please note that browser would still generate exception (and it is a good thing, as otherwise certificates wouldn’t be that useful). All you need is to add your localhost as exception – since we really trust that details we provided during certificate creation are our own

P.S. If you are getting «[warn] _default_ VirtualHost overlap on port 443,
the first has precedence», add NameVirtualHost *:443 into your httpd.conf

Couple of days ago I decided to give lighttpd web-server a try. I didn’t want to uninstall already installed apache, I just wanted it to stop and not auto-start itself on system reboot. Stopping apache is trivial, as it turned out disabling it is even easier:

# aptitude install sysv-rc-conf
# sysv-rc-conf

From there just turn off apache service and press ‘q’ to quit. I really liked this nice command line tool!

В случае если вы решили развернуть web-приложение с использованием Subversion, стоит позаботиться о том чтобы административные каталоги .svn были недоступны через http-протокол. Для этого используется либо файл .htaccess, либо (что предпочтительнее, но не всегда возможно) вносятся изменения в httpd.conf.

Для защиты каталогов от внешнего доступа в корневую директорию помещается файл .htaccess со следующим содержимым:

<IfModule mod_rewrite.c>
  RewriteRule ^(.*/)?\.svn/ - [F,L]
  ErrorDocument 403 "Access Forbidden"
</IfModule>

Для защиты всех каталогов .svn (а также каталогов CVS) в конфигурационный файл Apache – httpd.conf – вносится следующая директива:

<DirectoryMatch "^/.*/(\.svn|CVS)/">
  Order deny,allow
  Deny from all 
</DirectoryMatch>

Буквально это ознaчает, что все пути содержащие .svn или CVS будут плеваться 403 – Forbidden.

Удачи на дорогах!