Elle ne doit être accessible qu'en interne.
Comme on n'utilise pas de WEP ou autre au niveau du WiFi, on va utiliser du SSL pour éviter que les passwords et autres données de configuration ne passent en clair.
Voir le CVS.
Il faut modifier le /var/www/conf/httpd.conf
pour activer les SSI ; on en profite pour mettre une adresse mail valide et puis on a pas besoin d'autant de processes.
(...) MinSpareServers 1 MaxSpareServers 3 (...) StartServers 1 (...) ServerAdmin shtrom-mudrublic@ssji.net (...) DirectoryIndex index.html index.shtml (...) AddType text/html .shtml AddHandler server-parsed .shtml
On crée un /var
dans le chroot d'Apache en écriture pour l'user 'www', ce sera utile par la suite pour communiquer avec la base opérative de l'interface par le biais de sockets UNIX.
$ sudo mkdir /var/www/var $ sudo chown www.daemon /var/www/var
On modifie les paramètres utiles dans le httpd.conf
:
<VirtualHost _default_:443> # General setup for the virtual host DocumentRoot /var/www/admin ServerName mudrublic.narf.ssji.net ServerAdmin shtrom-mudrublic@ssji.net ErrorLog logs/error_log TransferLog logs/access_log ScriptAlias /cgi-bin/ "/var/www/admin/cgi-bin/" <Directory "/var/www/admin"> Options +Includes Require valid-user AuthType Basic AuthName "Router administration interface" AuthUserFile /var/www/conf/adminpass </Directory> <Directory "/var/www/admin/cgi-bin"> AllowOverride None Options None Order allow,deny </Directory>
On génère le fichier de passwords:
$ cd /var/www/conf $ sudo htpasswd -c adminpass operator New password: Re-type new password: Adding password for user operator $ cat adminpass operator:ENCRYPTED_PASS $ sudo chmod o-r conf/adminpass
Un peu plus bas dans le httpd.conf
, on trouve les chemins pour les certificats:
SSLCertificateFile /etc/ssl/server.crt (...) SSLCertificateKeyFile /etc/ssl/private/server.key
On crée donc les clef (sans passphrase)/demande de certificat/certificat:
$ sudo openssl genrsa -out /etc/ssl/private/server.key 1024 Generating RSA private key, 1024 bit long modulus .................................................................++++++ ................................++++++ e is 65537 (0x10001) $ sudo openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:fr State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []:mudrublic.narf.ssji.net Email Address []:shtrom-mudrublic@ssji.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ sudo openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt Signature ok subject=/C=fr/CN=mudrublic.narf.ssji.net/emailAddress=shtrom-mudrublic@ssji.net Getting Private key
Dans /etc/rc.conf
:
# use -u to disable chroot, see httpd(8) httpd_flags="-DSSL" # for normal use: "" (or "-DSSL" after reading ssl(8))
/etc/mail/aliases
proxy.{pac,dat}