Difference between revisions of "Git, Apache and HTTPS with a free certificate"
Jump to navigation
Jump to search
Line 58: | Line 58: | ||
==Self signed Certificate== | ==Self signed Certificate== | ||
===How Certificates work=== | ===How Certificates work=== | ||
Here are some videos on how certificates and SSL (TLS) work: | |||
{{#ev:youtube|JCvPnwpWVUQ||center}} | |||
{{#ev:youtube|iQsKdtjwtYI||center}} | |||
{{#ev:youtube|earzZpX-PiY||center}} | |||
Additional info: | |||
* https://en.wikipedia.org/wiki/X.509 | * [https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/ What is the SSL Certificate Chain? - DNSimple Help], explains how the certificate chain works. | ||
* [https://www.symantec.com/connect/blogs/types-ssl-certificates-choose-right-one Types of SSL certificates – choose the right one | Symantec Connect], explains the different certificate types that can be used. | |||
* [https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them], explains different file types for certificates. | |||
* [https://en.wikipedia.org/wiki/X.509 X.509 - Wikipedia], X.509 public key certificate standard. | |||
===How to=== | ===How to=== |
Revision as of 19:58, 22 June 2017
Prerequisites
- Ubuntu CLI understanding
- Git knowledge
- Ubuntu, this was tested using Ubuntu 16
- Apache 2
Git using Apache
This is a basic setup to allow Git on a server to be accessible via HTTP (no HTTPS yet, read further).
- Install Apache
sudo apt-get install apache2 apache2-utils
- Enable necessary modules
a2enmod cgi alias env
- (Optional) Add user(s) to the htpasswd file. This step is optional if this setup is going to serve only anonymous repository (pull/fetch). However if you want to push or if you want to allow to only obtain a repository using user/pass combo this step is necessary (see next step).
# Create file and add a user # -c = create file # The file is stored in /git/ the git repository for this specific setup htpasswd -c /git/.htpasswd [user name] # This will ask for a password # Add a user to the file htpasswd /git/.htpasswd [user name]
- To allow to obtain a git repository using http, add the following to the apache2.conf
# Path to the Git directory (inside the OS) SetEnv GIT_PROJECT_ROOT /git # Allows all projects to be served # If commented a file must exist in each available repository via Apache, file name: git-daemon-export-ok SetEnv GIT_HTTP_EXPORT_ALL # Defines the URL path where git is located, as seen via http # First param is path, second is os path to git-http-backend, don't forget the last slash ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ # Access configuration <Files "git-http-backend"> # Enable Basic HTTP Authentication AuthType Basic AuthName "Git Access" AuthUserFile /git/.htpasswd # The following line allows to obtain a repository (pull/fetch) without having a user/pass combo # Comment it if user/pass are needed to obtain info as well Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || %{REQUEST_URI} =~ m#/git-receive-pack$#) Require valid-user # END Enable Basic HTTP Authentication </Files>
Additional info:
- Git - Smart HTTP
- Git - git-http-backend Documentation
- For more info on htpasswd, read the docs.
Self signed Certificate
How Certificates work
Here are some videos on how certificates and SSL (TLS) work:
Additional info:
- What is the SSL Certificate Chain? - DNSimple Help, explains how the certificate chain works.
- Types of SSL certificates – choose the right one | Symantec Connect, explains the different certificate types that can be used.
- DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them, explains different file types for certificates.
- X.509 - Wikipedia, X.509 public key certificate standard.
How to
How to create a Root Certificate authority and child certificates:
- (Very good) https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
- (nice) https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
- (video from above) https://www.youtube.com/watch?v=zwnEmLx2LRs
- https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
Other sites:
- (Basic steps, not too clear) https://devcenter.heroku.com/articles/ssl-certificate-self
- (Good but not everything useful) https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
- https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
Adding the certificate to Apache
- https://www.youtube.com/watch?v=YR6-6XUC3sY
- https://www.youtube.com/watch?v=m06TttS2ZAM
- https://www.maketecheasier.com/apache-server-ssl-support/
- https://www.digicert.com/ssl-certificate-installation-apache.htm
Ensuring the right protocol:
- https://askubuntu.com/questions/643037/how-to-enable-tls-1-2-in-apache
- https://tecadmin.net/enable-tls-in-modssl-and-apache/
- https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache
Other links:
Configuring Git to use the self signed certificate
- https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate
- https://stackoverflow.com/questions/23807313/adding-self-signed-ssl-certificate-without-disabling-authority-signed-ones
More sites:
Client based authentication using certificates in Apache
Used links:
- http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
- https://stackoverflow.com/a/24543642/1071459
- http://stuff-things.net/2015/09/28/configuring-apache-for-ssl-client-certificate-authentication/
Other links:
- http://pages.cs.wisc.edu/~zmiller/ca-howto/
- https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatefile