installing proper SSL on apache

You are looking for A-Z instructions, what i am doing here is to show you how to install a godaddy or starfield certificate to a website on apache server on a debian system, if you want the instructions to issue the certificate yourself (self signed certificate), i have covered that in another post, you can adopt this to the system of your choice, here i will explain what i am doing too so that you can adapt it to other systems

Note that you need a dedicated IP address for every website / certificate.
I have apache already installed on debian squeeze and running a website with no SSL

1- Before we begin, you may want to execute

apt-get update

2- Install openSSL, on debian this is done with

apt-get install openssl ssl-cert

3-Create a directory for the keys

mkdir /etc/apache2/sslkeys

4- Creating a PRIVATE key (Give to no one)

Before executing this command
You will be asked to chose a password and enter it twice, please keep this password on a paper close to you since we will need this password to decrypt this key in the following steps, this password is important during this process, no longer important after that.

openssl genrsa -des3 -out /etc/apache2/sslkeys/server.key 2048

5- Create a signing request to give to godaddy or starfieldtech
Before executing this command, remember that from the questions you will face, the only one that is TEHNICALLY IMPORTANT IS to use the common name (not, unless it is a subdomain other than www you can use, all other fields you should answer as you would like them to appear to people, but the certificate will not work with an incorrect common name

 openssl req -new -key /etc/apache2/sslkeys/server.key -out /etc/apache2/sslkeys/server.csr

NOTE: we could have created a signing request and a private key in one go with

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

But we chose to not do that because this tutorial aims to show you the exact steps and what they do

6- Now, we have a secure signing request, all we need to do is give that to the issuing authority so that they can give us a signed public key

UPDATE: Done with the problem of already present in a current certificate after 4 days of talking to godaddy

Now, i can generate my new certificate, but i waiting for 4 days that i could have done without and got it on the first day, the 72 hours written in the manual is probably the MAXIMUM after revoking a certificate, not after canceling it.

Problem, apache will not start without pass phrase, this also means that rebooting the machine will have the machine hang waiting for apache to start and waiting for a user to enter a password for apache, so we need to decrypt the private key
Please note that this does not make your connection less secure, but in the event that someone gets hold of the key file (That you should protect encrypted or not), they can defeat SSL security.

root@someserver:~#/etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Anyway, now we should come back to how to remove the pass phrase from the private key

Assuming that your RSA key is stored in the file
To decrypt the file, so that apache does not requer a password with every restart
1- copy the key file:

cp /etc/apache2/sslkeys/server.key /etc/apache2/sslkeys/server.enc.key

Now, decrypt the key (read from the backup file) into the key file in our config

openssl rsa -in /etc/apache2/sslkeys/server.enc.key -out /etc/apache2/sslkeys/server.key

Now the encrypted key is in the server.enc.key just in case you need it, and the key used by apache is NOT encrypted and is in server.key file (That apache already uses)

PHP execution speed et al

There are many tools that precompile PHP to make it run faster, up to now, my favorite is APC which also serves as a very fast value cache (for persistence between requests), a value cache much faster than memcached (but not as distributed).

For some time, i have been optimizing further by asking APC to never check if the file is modified on the disk, and whenever my software is modified i would manually clear the APC cache so that the whole script can be compiled all over again (I say compiled loosely speaking, in reality, it is simply turned into bytecode).

In any case, when you have a server with plenty of ram, it would be convenient if the PHP engine can read the file itself in byte and skip that step for compiled files, and from the way the linux kernel works, those files would be cached from disk into ram (because when a file is read or written, linux keeps a cache of it in ram).

So, bcompiler should be a good extension to PHP that fits such a criteria, and is probably my new way of running my scripts.

Also, bcompiler hides my source code, but i am not interested in that to protect my intellectual property, usually i am not very concerned about my intellectual property because it takes a very good programmer to understand a program and take things from it, and if the person is such a programmer, well, he can also write his own, and with the help of google, he can arrive at something like what i am doing, so to make a long story short, i am interested in hiding my source code for application security reasons, or Security through obscurity as MircoSfot would put it

Checking if SSD trim is working (discard)

Note that if your kernel is before 2.6.33 you can check, but it won’t be working !

in the case that you don’t want to update your kernel, and you just want to trim your disk, try or fstrim, both are command line tools that you can run manually or put in a cron job. if you do want to update your kernel, here is how on debian squeeze

So for example, if you are on debian 6 squeeze, you need to get a kernel from the backports (add the line “deb squeeze-backports main” to your /etc/apt/sources.list then apt-get update then apt-get -t squeeze-backports install linux-image-3.2.0-0.bpo.2-amd64) to get the new kernel, it will then work.

I assume you already have an ext4 file system with discard option in fstab as described on this website

Also note: Many modern SSDs will not reclaim the TRIMmed space., so if using the test below you see zeros, discard (trim) is working 100%, if you don’t. it may or may not be working… but if you wait fdor a significant amount of time, then reboot, the zeros should appear in that exact location even if the disk does not reclaim instantly … happyt trimming, now to the procedure

now, write a file to the ssd (random numbers)
dd if=/dev/urandom of=/hds/ssd300/myfile.bin bs=1M count=3

Find the location where the file begins
hdparm –fibmap /hds/ssd300/myfile.bin

Now, take note of the start address and use it in this command replacing xxxxx

hdparm –read-sector xxxxxx /dev/sdb
You should see random numbers

Delete the file
rm /hds/ssd300/myfile.bin
Sync with the command

Wait for 2 minutes
the issue the same command to read again
hdparm –read-sector xxxxxx /dev/sdb
You should now see all zeros, if you do not, the disk has not been trimmed 🙂

SSD trim command on linux

I am writing this because the stuff you need is not in one place elsewhere, this is what you really need to know, and i want to keep this very short, if you like you can read more elsewhere, this one will only share what you really should know.

1- Do i need trim ?
For reading NO, so if you write once and read 102112913 times, you are good without trimming anything, without trimming, disk writes are slow, reading is absolutely not affected by trim.

2- What is the difference between the ext4 discard option and running fstrim myself manually every once in a while, or even put it in a cron job ?
on ext4 with trim enabled, blocks are trimmed (erased) whenever they are no longer in use by the file system, meaning, when data is deleted from a block, the physical flash memory is erased right after the data deletion, so your disk will remain trimmed all the time, the overhead is not much because the OS knows the block it just freed, so it simply does no more math other than issue a second command to trim, when you run fstrim, fstrim will read the whole file system, and whenever it finds an empty spot, it will trim (hardware erase).

3- i forgot to enable discard, do i just enable it and all is good, is that safe.
Yes it is safe, but enable it, then manually run fstrim only once, or you can wait, and eventually all spots will be trimmed after the get written to and erased again.

Ext4 (the new linux file system) supports TRIM when you mount the disk with the discard option, you can use tools to trim with ext2 or ext3, but it won’t be automatic and not as efficient.

1- But i want ext2 because i don’t want Journaling
ext2 is in fact ext3 without the journal, in ext4 you can remove the journal as well with no problems at all, there are no consequences, ext4 was designed to run with or without journaling

How do i format the disk in ext 4 and enable trim ?
For instructions on creating ext4 partitions, see here , as for the mounting, the line should have an extra option called discard and it should look something like this in your /etc/fstab

UUID=b7a491b1-a690-468f-882f-fbb4ac0a3b53       /hds/3tb            ext4     defaults,noatime,discard                0       1

You should be done, there is nothing more to do

3- I am stuck with ext2 and i don’t want to move, reformet and then move back again
before that, do you know that you can convert the drive to ext4 ?

4- I don’t want to convert anything to anything, i just want to manually trim
Thats easy, use the command
fstrim /hds/myssddisk

and you are done, but mind you, on anything but ext4, this will trim the whole unused space trimed or not trimmed