Greetings, weary tech[no] traveler!
Welcome to Part 2 of Ubuntu 14 and Apache and MoinMoin! Oh my!
Suppose your wiki contains sensitive data
and utilizes the user authentication features MoinMoin. It would be a
good idea to secure it from eavesdropping creeps using man-in-the-middle
attacks, wouldn't it? We should configure our wiki's apache config
file to use https, along with SSL certificates, to encrypt all of the
traffic to and from our wiki site. That way, anyone who's packet
sniffing on your network (or the network your site is hosted from) won't
be able to make any sense of what they are recording.
Once you have generated your SSL certificate and private key move your SSL certificate to /etc/ssl/certs/ and your private key to /etc/ssl/private/:
sudo mv humboldtwiki_example_com_cert.cer /etc/ssl/certs
sudo mv myprivateSSLkey.key /etc/ssl/private
NOTE: NEVER
give your private SSL key to anyone. If you give a private key to
someone, that someone now has the key to your castle, rendering any
encryption useless.
After you have moved your certificate and private key, enable Apache's SSL module:
sudo a2enmod ssl
Next, make sure the directory /etc/ssl/private has the following permissions:
drwx--x--- 2 root ssl-cert 4096 private/
And the contents have permissions and group settings like this:
-rw-r----- 1 root ssl-cert 1704 myprivateSSLkey.key
-rw-r----- 1 root ssl-cert 1704 ssl-cert-snakeoil.key
If the new private key has different permissions, change them to match the ones above like this:
sudo chgrp ssl-cert myprivateSSLkey
sudo chmod 640 myprivateSSLkey.key
As a matter of fact, all of the private keys in this directory should have the same permissions described above.
Modify, the Apache config file (in our case, humboldtwiki.conf) to your wiki site like this:
# create some wsgi daemons - use these parameters for a simple setup
WSGIDaemonProcess
moin user=www-data group=www-data processes=5 threads=10
maximum-requests=1000 umask=0007 display-name=wsgi-moin
# use the daemons we defined above to process requests!
WSGIProcessGroup moin
<VirtualHost humboldtwiki.example.com:80>
ServerName humboldtwiki.example.com
ServerAdmin webmaster@example.com
Redirect 301 / https://humboldtwiki.example.com
CustomLog /var/log/apache2/humboldtwiki-80-access.log combined
ErrorLog /var/log/apache2/humboldtwiki-80-error.log
</VirtualHost>
<VirtualHost humboldtwiki.example.com:443>
ServerName humboldtwiki.example.com
ServerAdmin webmaster@example.com
WSGIPassAuthorization On
SSLEngine on
SSLCertificateFile /etc/ssl/certs/humboldtwiki_example_com_cert.cer
SSLCertificateKeyFile /etc/ssl/private/myprivateSSLkey.key
DocumentRoot /usr/share/moin/humboldtwiki
WSGIScriptAlias / /usr/share/moin/humboldtwiki/moin.wsgi
<Directory />
Options FollowSymLinks
AllowOverride all
Allow from All
Require all denied
</Directory>
<Directory /usr/share/moin/humboldtwiki>
AllowOverride All
Allow From All
Require all granted
</Directory>
ErrorLog /var/log/apache2/humboldtwiki-error.log
LogLevel warn
CustomLog /var/log/apache2/humboldtwiki-access.log combined
</VirtualHost>
What this Apache config does, is that it forces all users to connect to the wiki site using https. Anytime a user navigates to the url, http://humboldtwiki.example.com, their web browser will be redirected to https://humboldtwiki.example.com.
Now, let's restart Apache so that our changes will take effect:
sudo service apache2 restart
There you have it! You've now protected your wiki site, and your users, from the classic man-in-the-middle attack.
No comments:
Post a Comment