Setting up Apache HTTP Server with SSL support on Ubuntu/Debian


I need to set up a server to host our subversion in a secured fashion and to make it available on the Web. Therefore, I first install the Apache HTTP Server (httpd) and configure it to allow for SSL connections only.

If there are mistakes in this post, please comment. I’m eager to improve it and learn.

It took me quite some time to find some proper documentation on how to configure Apache2 on Ubuntu/Debian. I came across that interesting page on the apache Web site that pointed me to a README file: /usr/share/doc/apache2/README.Debian.gz that contains information on how to configure Apache2 on Debian.

Step 1: Install the Apache2 package

There is an Apache httpd package readily available for aptitude under the name apache2. To install it, run the following command from the terminal.

$ sudo apt-get install apache2

To test that the package was properly installed, open the following address in your browser: http://yourhostname. If the installation was successful, the browser shall display the following:

It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Step 2: Configure httpd to support SSL

The module mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) provides SSL/TLS support to httpd. It is available in the httpd installation as a part of the apache2-common package.

On Ubuntu/Debian, use the following commands to enable SSL

$ sudo a2ensite default-ssl

That yields

Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload

$ sudo a2enmod ssl

That yields

Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart

As written, let’s restart Apache2 to apply the changes with the following command:

$ sudo service apache2 restart

That command yields the following outcome:

* Restarting web server apache2 … waiting

and restart httpd:

$ sudo /etc/init.d/apache2 restart

Which yields again:

* Restarting web server apache2 … waiting

To test that the module was properly installed, open the following address in your browser: https://yourhostname. The first time you access the page, the browser will warn you that the certificate of the site is not trusted. You can proceed and you will get to the same page as before:

It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Step 3: Generate a self-signed certificate

To use a self-signed certificate, the package ssl-cert must be installed, which it was on my install.

I wanted to configure my own self-signed certificate for the server and to store it in /etc/apache2/ssl. To do so, run the following command from the terminal:

$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.crt

The command prompts you to enter the hostname to use in the certificate. Once done, you can now see that there is a new file in the /etc/apache2/ssl directory:

drwxr-xr-x 2 root root 4096 2011-12-16 14:40 ./
drwxr-xr-x 8 root root 4096 2011-12-16 14:12 ../
lrwxrwxrwx 1 root root 10 2011-12-16 14:40 a9630d61 -> apache.crt
-rw——- 1 root root 2685 2011-12-16 14:40 apache.crt

That last command will have generated an apache.crt file that contains both the certificate and the key. Let’s now separate that file into two files:

  • apache.pem to store the certificate
  • apache.key to store the key

I will simply copy the original apache.crt file twice, one with each name and edit each file.

$ cd /etc/apache2/ssl
$ sudo cp apache.crt apache.pem
$ sudo cp apache.crt apache.key

The apache.pem file must contain everything from the beginning line to the ending line of the certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The apache.key file must contain everything from the beginning line to the ending line of the key

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Step 4: Configure httpd to use the certificate

Now, I have to configure httpd to use my new certificate. To do so, I edit the configuration with nano

$ sudo nano /etc/apache2/sites-enabled/default-ssl

We have to update the following two lines

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

with the following two lines

SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

The private key shall only be readable by root:

$ sudo chmod 600 /etc/apache2/ssl/apache.key

Let’s now restart Apache2

$ sudo /etc/init.d/apache2 restart

Step 5: Disable the HTTP port

On Ubuntu/Debian, the enabled ports are defined in /etc/apache2/ports.conf. As I want to disable the HTTP listener, I simply disable that port in that file by commenting out the following two lines:

#NameVirtualHost *:80
#Listen 80

Final test

To check that everything works fine, let’s try to access the page at http://localhost with curl

curl http://localhost
curl: (7) couldn’t connect to host

Let’s no try to access the page at https://localhost with curl -k. The -k is used to allow connections from sites without a certificate.

$ curl -k https://localhost</pre>
<h1>It works!</h1>
<pre>
This is the default web page for this server.

The web server software is running but no content has been added, yet.


That’s it.

Finding out the IP address of my Linux


The ifconfig command provides the network interface parameters of the system.

This is an example of the outcome:

$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:6d:41:8d
inet addr:129.181.228.101 Bcast:129.181.231.255 Mask:255.255.252.0
inet6 addr: fe80::a00:27ff:fe6d:418d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22801 errors:0 dropped:0 overruns:0 frame:0
TX packets:2066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5235502 (5.2 MB) TX bytes:214719 (214.7 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

If I want to just know my IP address, I can simply run the following command from the terminal:

$ ifconfig | grep 'inet addr'
          inet addr:129.181.228.101  Bcast:129.181.231.255  Mask:255.255.252.0
          inet addr:127.0.0.1  Mask:255.0.0.0

If I just want to know my IPv6 address, I can run the following command from the terminal:

$ ifconfig | grep 'inet6 addr'
          inet6 addr: fe80::a00:27ff:fe6d:418d/64 Scope:Link
          inet6 addr: ::1/128 Scope:Host

Installing Oracle SQL Developer on Ubuntu


Update: As I switched to Linux Mint, I ran into an permission problem. To have it working, follow the procedure available at http://community.linuxmint.com/tutorial/view/938, which provides additional steps.


On my current project, we use Oracle database. The best free tool I have found so far to work with the database as a Java developer is Oracle SQL Developer.

Oracle does not provide a package for Debian based distros. I tried to run the tool from the generic archive but it failed to run because it seems to be aiming at another environment with respect to the Swing look and feel that it failed to load.  After some googling, I found that there is a package to make a package (sqldeveloper-package)out of the archive to make it installable as such.

Here is how to use it.

Download Oracle SQL Developer

As the download requires that one have an Oracle account, I download it from the browser at the following address: http://www.oracle.com/technetwork/developer-tools/sql-developer/sqldev-ea-download-486950.html

Install Java

See my post Install Sun JDK 6 on Ubuntu 11.10

Install the sqldeveloper-package and its dependencies

$ sudo apt-get install sqldeveloper-package debhelper

 Install dos2unix

$ sudo apt-get install tofrodos

It is necessary to create the following symlinks for the tool to work:

$ sudo ln -s fromdos dos2unix
$ sudo ln -s todos unix2dos

Make the deb package

It seems that the -b switch can be used to indicate where to generate the .deb but it does not seem to work (Or I did not spend enough time trying to get it to work). The tool will generate the .deb in the working directory.

$ cd ~/Downloads
$ make-sqldeveloper-package ~/Downloads/sqldeveloper-3.1.06.44-no-jre.zip

Install the package

$ sudo dpkg -i sqldeveloper_3.1.06.44+0.2.3-1_all.deb

The tool is now available in Applications->Programming->Sql Developer

Install Sun JDK 6 on Ubuntu 11.10


Update 2011-12-20: Following up on comments on the post, I added a section on how to  configure the Java Browser Plugin in manual installation

Update 2011-11-25: I added the information regarding the configuration of the JDK as in my previous post  Configuring Java on Kubuntu 10.10


Since Ubuntu 11.10, there is no longer an official package for the Sun/Oracle JDK. The package sun-java6-jdk is no longer officially available.

Method 1: Install a package provided by a PPA

There is a PPA (Personal Package Archives) made available by Roberto Ferramosca. To add this PPA, run the following command from the command line:

    $ sudo add-apt-repository ppa:ferramroberto/java
    $ sudo apt-get update

You can now install the JDK with the following command:

    $ sudo apt-get install sun-java6-jdk

I you’d like to install the JRE or the Java Plugin along with the JDK, use the following:

sudo apt-get install sun-java6-jdk sun-java6-jre sun-java6-plugin sun-java6-fonts

You must now set the Sun JDK as the default. You can see how to achieve this in a previous post Configuring Java on Kubuntu 10.10.

The benefit of this method is that the JDK will be updated when a newer version of the package is made available.

Method 2: Installing the JDK manually

This method consists of downloading the adequate JDK from the Oracle Web site. The file is a bin file, e.g. jdk-6u29-linux-x64.bin

The first step is to create a temporary folder where we’ll download the file.

    $ mkdir -p ~/tmp/jdk-6u29
    $ cd ~/tmp/jdk-6u29

Once downloaded, make the file executable and run it.

    $ chmod +x jdk-6u29-linux-x64.bin
    $ ./jdk-6u29-linux-x64.bin

Now copy the file to the preferred target location, e.g. ~/dev/jdk

    $ mkdir -p ~/dev/jdk
    $ cd ..
    $ mv jdk-6u29 ~/dev/jdk/

Let’s now create a symbolic link so that we can easily update with newer versions in the future.

    $ cd ~/dev/jdk
    $ ln -s jdk-6u29 jdk-6

The next step is to add to the ~/.bashrc the path to our JDK binary files.

    #Use the symbolic link
    export JAVA_HOME="~/dev/jdk/jdk-6"
    export PATH=$PATH:$JAVA_HOME/bin

That’s it.

The benefit of this method is that one can install any version of the JDK (6 or 7). The downside is that one must manually upgrade the JDK.

Manually configuring the browser plugin

To configure the plugin, you need the JRE that comes with the JDK. If you installed the JDK in $JAVA_HOME, the JRE is located in $JAVA_HOME/jre.

Based on some documentation that I found on Oracle Web Site, the solution is simply to create symlinks to the plugin. The plugin can be found in

  • $JAVA_HOME/jre/lib/amd64/libnpjp2.so for 64bit machines
  • $JAVA_HOME/jre/lib/i386/libnpjp2.so for 32bit machines

You can go to http://javatester.org/version.html to check that the plugin works fine.

Configuring the plugin for Firefox

Create a symlink to the plugin

$ sudo ln -s $JAVA_HOME/jre/lib/amd64/libnpjp2.so /usr/lib/firefox-addons/plugins/libnpjp2.so

This shall do the trick.

Configuring the plugin for Chromium

Create a symlink to the plugin

$ sudo ln -s $JAVA_HOME/jre/lib/amd64/libnpjp2.so /usr/lib/chromium-browser/plugins/libnpjp2.so

With Chromium, it is necessary to enable plugins. You can just launch it from the command line once to enable the plugins with the following command

$ chromium-browser --enable-plugins %U

If you now naviate to chrome://plugins/, you shall see something like:

Java – Version: 1.6.0.30
The next generation Java plug-in for Mozilla browsers.
Disable

Activating a default Maven profile defined in settings.xml with other profiles in the pom.xml


In Apache Maven, there are different places to configure profiles:

  • The project pom.xml
  • The user’s settings.xml
  • The installations settings.xml

I wanted every developer to be able to customise the build properties independently of the pom.xml. It is a very bad practice to have everyone modifying the pom.xml locally. One would also argue that it is a very bad practice to have developers customise build properties. That’s a debate for another time 🙂

The profiles that we have are:

  • Development (default)
  • Jenkins (continuous integration)
  • Test
  • Acceptance
  • Production

The profiles define the target environment for the build.

At first, I tried to define a profile as activeByDefault in the settings.xml file while setting the other profiles in the pom.xml not active by default. That did not work at all because in this case the profile defined in the settings.xml is active at any time and overrides other profiles.

The solution that I found was to use a property to activate a profile. The profile defined in the settings.xml is the Development profile. It would be activated by the absence of such a property. Indeed, it would be boring to have to specify a property for most of the builds.

The settings.xml looks like this:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
			      http://maven.apache.org/xsd/settings-1.0.0.xsd">
  <profiles>
    <profile>
      <id>Development</id>
      <activation>
	<property>
	  <name>!env</name><!-- The exclamation mark indicates that the property shall be absent -->
	</property>
      </activation>
      <properties>
	<target.environment>Development</target.environment>
	...
      </properties>
    </profile>
  </profiles>
</settings>

When using the Maven command mvn help:active-profiles, it yields:

The following profiles are active:

 - Development (source: settings.xml)

The development profile is active if the property env is not set using the Maven command line parameter -Denv=xxx.

All the other profiles are defined in the pom.xml:

...
  <profiles>
    <profile>
      <id>Jenkins</id>
      <activation>
	<property>
	  <name>env</name>
	  <value>Jenkins</value> <!-- This is the value for that property that will activate the profile -->
	</property>
      </activation>
      <properties>
	<target.environment>ContinuousIntegration</target.environment>
	...
      </properties>
    </profile>
    <profile>
      <id>Test</id>
      <activation>
	<property>
	  <name>env</name>
	  <value>Test</value>
	</property>
      </activation>
      <properties>
	<target.environment>Test</target.environment>
	...
      </properties>
    </profile>
    <profile>
      <id>Acceptance</id>
      <activation>
	<property>
	  <name>env</name>
	  <value>Acceptance</value>
	</property>
      </activation>
      <properties>
	<target.environment>Acceptance</target.environment>
	...
      </properties>
    </profile>
    <profile>
      <id>Production</id>
      <activation>
	<property>
	  <name>env</name>
	  <value>Jenkins</value>
	</property>
      </activation>
      <properties>
	<target.environment>Production</target.environment>
	...
      </properties>
    </profile>
...

To activate any profile from the pom.xml instead of the Development profile, we just have to pass the env property to the command line. For example:

$ mvn -Denv=Test help:active-profiles

The command above yields the following result:

The following profiles are active:

 - Test (source: pom)

Considerations on configuring my GitHub account on a new Ubuntu install


I changed laptops and I needed to reconfigure my GitHub account.

At first, I wanted to reuse the SSH key that I used on my other computer, which works fine. Afterwards, I changed my mind as it is actually less hassle to generate a new key and to add it to my GitHub account. Once the new laptop was configured, I could remove the former key.

In any case, I first needed to install an SSH client in order to follow the setup guide from GitHub. I installed OpenSSH with the following command:

$ sudo apt-get install openssh-client

Then I could follow the procedure to generate a new key pair and configure my account.

If I had wanted to reuse my existing key and passphrase, I could have copied the following two files from my current computer to the ~/.ssh folder of the target computer.

  • ~/.ssh/id_rsa
  • ~/.ssh/id_rsa_pub

Using resource bundle keys containing dots in a facelet


In order to put some order into our resource bundle with JSF, I wanted to use dots to structure the keys to make them more meaningful. I wanted to use a structure like ScreenName.title=value

We used to use the keys this way

<h:outputText value="#{bundle.title}" />

When I tried to use

<h:outputText value="#{bundle.screen.title}" />

I got an error because JSF interpreted bundle.screen.title as an expression and title was not a method of the String class. To be able to use the dots, I had to change the way to get values from the bundle as follows:

<h:outputText value="#{bundle['screen.title']}" />

Ignoring Eclipse and Maven files and Folders with Git


The file .gitignore tells Git which files to ignore at commit time. The ignore file itself shall be added and committed to the repository.

Add the following lines to in order to ignore Eclipse project files and folders

.classpath
.project
.settings/

Add the following line to ignore Maven target folder:

target

Removing the overlay scrollbar in Ubuntu 11.04


The overlay scrollbar in Ubuntu 11.04 that is not always visible and not very usable either really bugs me. Here is how to get rid of it, the hard way:

$ sudo apt-get remove overlay-scrollbar liboverlay-scrollbar-0.1-0

Bash-Fu: Replacing text in multiple files with one Perl command


When I posted  Bash-Fu: Replacing text in multiple files in one line, I knew that there would be a simpler way to achieve that. Thanks to my former colleague Ben, here is an even simpler way that uses a perl command.

$ perl -p -i -e 's/0.6-SNAPSHOT/0.7-SNAPSHOT/g' `find ./ -name pom.xml`

This command replaces the occurences of 0.6-SNAPSHOT with 0.7-SNAPSHOT in all the pom.xml files in the current directory and sub-directories. It is the usage of the find command that provides the list of files to process to the perl command.

Pay attention to the ` that surround the find command. These are not quotes but accents.

%d bloggers like this: