Browse Source

Merge pull request #2036 from silke/docs

Docs
tags/3.4.3
Tobias Diekershoff 5 years ago
parent
commit
4126f9ab51
1 changed files with 73 additions and 135 deletions
  1. +73
    -135
      doc/SSL.md

+ 73
- 135
doc/SSL.md View File

@@ -3,166 +3,104 @@ Using SSL with Friendica

* [Home](help)

If you are running your own Friendica site, you may want to use SSL (https) to encrypt communication between yourself and your server (communication between servers is encrypted anyway).
Disclaimer
---
**This document has been updated in November 2015.
SSL encryption is relevant for security.
This means that recommended settings change fast.
Keep your setup up to date and do not rely on this document being updated as fast as technologies change!**

To do that on a domain of your own, you have to obtain a certificate from a trusted organization (so-called self-signed certificates that are popular among geeks don’t work very well with Friendica, because they can cause disturbances in other people's browsers).
Intro
---
If you are running your own Friendica site, you may want to use SSL (https) to encrypt communication between servers and between yourself and your server.

If you are reading this document before actually installing Friendica, you might want to consider a very simple option: Go for a shared hosting account without your own domain name. That way, your address will be something like yourname.yourprovidersname.com, which isn't very fancy compared to yourname.com. But it will still be your very own site, and you will usually be able to hitch a lift on your provider's SSL certificate. That means that you won't need to configure SSL at all - it will simply work out of the box when people type https instead of http.
There are basically two sorts of SSL certificates: Self-signed certificates and certificates signed by a certificate authority (CA).
Technically, both provide the same valid encryption.
There is a problem with self-signed certificates though:
They are neither installed in browsers nor on other servers.
That is why they provoke warnings about "mistrusted certificates".
This is confusing and disturbing.

If that isn't your idea of doing things, read on...
For this reason, we recommend to get a certificate signed by a CA.
Normally, you have to pay for them - and they are valid for a limited period of time (e.g. a year or two).

**Shared hosts**
There are ways to get a trusted certificate for free.

If you are using a shared host on a domain of your own, your provider may well offer to obtain and install the certificate for you. You will then only need to apply and pay for it – and everything will be set up. If that is the case for you, the rest of this document need not concern you at all. Just make sure the certificate is for the address that Friendica uses: e.g. myownfriendica.com or friendica.myserver.com.
Chose your domain name
---

The above ought to be the most common scenario for Friendica sites, making the rest of this article superfluous for most people.
Your SSL certificate will be valid for a domain or even only for a subdomain.
Make your final decision about your domain resp. subdomain *before* ordering the certificate.
Once you have it, changing the domain name means getting a new certificate.

**Obtaining a certificate yourself**
Shared hosts
---

Alternatively, a few shared hosting providers may ask you to obtain and upload the certificate yourself.
If your Friendica instance is running on a shared hosting platform, you should first check with your hosting provider.
They have instructions for you on how to do it there.
You can always order a paid certificate with your provider.
They will either install it for you or provide an easy way to upload the certificate and the key via a web interface.

The next section describes the process of acquiring a certificate from StartSSL. The good thing about StartSSL is that you can get an entry-level, but perfectly sufficient certificate for free. That’s not the case with most other certificate issuers - so we will be concentrating on StartSSL in this document If you want to use a certificate from a different source, you will have to follow the instructions given by that organization. We can't cover every possibility here.

Installing your certificate - once you have obtained it - depends on your provider’s way of doing things. But for shared hosts, there will usually be an easy web tool for this.
It might be worth asking if your provider would install a certificate you provide yourself, to save money.
If so, read on.

Note: Your certificate is usually restricted to one subdomain. When you apply for the certificate, make sure it’s for the domain and subdomain Friendica uses: e.g. myownfriendica.com or friendica.myserver.com.
Getting a free StartSSL certificate
---
StartSSL is a certificate authority that issues certificates for free.
They are valid for a year and are sufficient for our purposes.

**Getting a free StartSSL certificate**
### Step 1: Create a client certificate

StartSSL’s website attempts to guide you through the process of obtaining a free certificate, but some people end up frustrated. We really recommend working your way through the steps on the site very slowly and carefully. Don't take things for granted - read every word before proceeding and don't close the browser window until everything is working. That said, there are three main stumbling blocks that can confuse users:
When you initially sign up with StartSSL, you receive a certificate that is installed in your browser.
You need it for the login on startssl.com, also when coming back to the site later.
It has nothing to do with the SSL certificate for your server.

When you initially sign up with StartSSL, the first certificate you receive is simply installed in your browser (though you should also store it somewhere safe, so that you can reinstall it in any other browser at a later date, for instance when you need to renew something). This authentication certificate is only used for logging on to the StartSSL website – it has nothing to do with the certificate you will need for your server. As a first-timer with StartSSL, start here: https://www.startssl.com/?app=12 and choose the Express Lane option to get that browser authentication certificate. Then seamlessly continue to the process of acquiring the desired certificate for your server (the one you actually came for). You can change the website’s language if that makes things easier for you.
### Step 2: Validate your email address and your domain

When you are first prompted for a domain to certify, you need to enter your top-level domain – not the subdomain Friendica uses. In the next step, you will be able to specify that subdomain. So if you have friendica.yourname.com on your server, you first enter yourname.com – and specify the subdomain friendica later.
To continue you have to prove that you own the email address you specified and the domain that you want a certificate for.
Specify your email address, request a validation link via email from the "validations wizard".
Same procedure for the domain validation.

Don’t quit too fast when you have received your personal web server certificate at the end of the procedure. Depending on your server software, you will also require one or two generic files for use with this free StartSSL certificate. These are sub.class1.server.ca.pem and ca.pem. If you have already overlooked this step, you can download those files here: http://www.startssl.com/?app=21 But once again, the very best way of doing things is not to quit the StartSSL site until you are completely done and your https certificate is up and working.
### Step 3: Request the certificate

**Virtual private and dedicated servers (using StartSSL free)**
Go to the "certificates wizard".
Choose the target web server.
When you are first prompted for a domain to certify, you need to enter your main domain, e.g. example.com.
In the next step, you will be able to specify a subdomain for Friendica, if needed.
Example: If you have friendica.example.com, you first enter example.com, then specify the subdomain friendica later.

The rest of this document is slightly more complicated, but it’s only for people running Friendica on a virtual private or dedicated server. Everyone else can stop reading at this point.
If you know how to generate an openssl key and a certificate signing request (csr) yourself, do so.
Paste the csr into your browser to get it signed by StartSSL.

Follow the instructions here ( http://www.startssl.com/?app=20 ) to configure the web server you are using (e.g. Apache) for your certificate.
If you do not know how to generate a key and a csr, accept StartSSL's offer to generate it for you.
This means: StartSSL has the key to your encryption but it is better than no certificate at all.
Download your certificate from the website.
(Or in the second case: Download your certificate and your key.)

To illustrate the necessary changes, we will now assume you are running Apache. In essence, you can simply create a second httpd.conf entry for Friendica.
To install your certificate on a server, you need one or two extra files: sub.class1.server.ca.pem and ca.pem, delivered by startssl.com
Go to the "Tool box" section and download "Class 1 Intermediate Server CA" and "StartCom Root CA (PEM encoded)".

To do this, you copy the existing one and change the end of the first line to read :443> instead of :80>, then add the following lines to that entry, as also shown in StartSSL’s instructions:
If you want to send your certificate to your hosting provider, they need the certificate, the key and probably at least the intermediate server CA.
To be sure, send those three and the ca.pem file.
**You should send them to your provider via an encrypted channel!**

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
If you run your own server, upload the files and check out the Mozilla wiki link below.

SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/apache/conf/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Let's encrypt
---

(Note that the directory /usr/local/apache/conf/ may not exist on your machine. For Debian, for instance, the directory might be /etc/apache2/ - in which you can create an ssl subdirectory if it doesn’t already exist. Then you have /etc/apache2/ssl/… instead of /usr/local/apache/conf/…)
If you run your own server and you control your name server, the "Let's encrypt" initiative might become an interesting alternative.
Their offer is not ready, yet.
Check out [their website](https://letsencrypt.org/) for status updates.

You thus end up with two entries for your Friendica site - one for simple http and one for https.
Web server settings
---

Note to those who want to force SSL: Don't redirect to SSL in your Apache settings. Friendica's own admin panel has a special setting for SSL policy. Please use this facility instead.
Visit the [Mozilla's wiki](https://wiki.mozilla.org/Security/Server_Side_TLS) for instructions on how to configure a secure webserver.
They provide recommendations for [different web servers](https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations).

**Mixing certificates on Apache – StartSSL and others (self-signed)**
Test you server SSL settings
---

Many people using a virtual private or dedicated server will be running more than Friendica on it. They will probably want to use SSL for other sites they run on the server, too. To achieve this, they may wish to employ more than one certificate with a single IP – for instance, a trusted one for Friendica and a self-signed certificate for personal stuff (possibly a wildcard certificate covering arbitrary subdomains).

For this to work, Apache offers a NameVirtualHost directive. You can see how to use it in httpd.conf in the following pattern. Note that wildcards (*) in httpd.conf break the NameVirtualHost method – you can’t use them in this new configuration. In other words, no more *80> or *443>. And you really must specify the IP, too, even if you only have one. Also note that you will soon be needing two additional NameVirtualHost lines at the top of the file to cater for IPv6.

NameVirtualHost 12.123.456.1:443
NameVirtualHost 12.123.456.1:80

<VirtualHost www.anywhere.net:80>
DocumentRoot /var/www/anywhere
Servername www.anywhere.net
</VirtualHost>

<VirtualHost www.anywhere.net:443>
DocumentRoot /var/www/anywhere
Servername www.anywhere.net
SSLEngine On
<pointers to a an eligible cert>
<more ssl stuff >
<other stuff>
</VirtualHost>

<VirtualHost www.somewhere-else.net:80>
DocumentRoot /var/www/somewhere-else
Servername www.somewhere-else.net
</VirtualHost>

<VirtualHost www.somewhere-else:443>
DocumentRoot /var/www/somewhere-else
Servername www.somewhere-else.net
SSLEngine On
<pointers to another eligible cert>
<more ssl stuff >
<other stuff>
</VirtualHost>

Of course, you may optionally be using other places like the sites-available directory to configure Apache, in which case only some of this information need be in httpd.conf or ports.conf - specifically, the NameVirtualHost lines must be there. But if you're savvy about alternatives like that, you will probably be able to figure out the details yourself.

Just restart Apache when you're done, whichever way you decide to do it.

**StartSSL on Nginx**

First, update to the latest Friendica code. Then follow the above instructions to get your free certificate. But instead of following the Apache installation instructions, do this:

Upload your certificate. It doesn't matter where to, as long as Nginx can find it. Some people use /home/randomlettersandnumbers to keep it in out of paranoia, but you can put it anywhere, so we'll call it /foo/bar.

You can remove the password if you like. This is probably bad practice, but if you don't, you'll have to enter the password every time you restart nginx. To remove it:

openssl rsa -in ssl.key-pass -out ssl.key

Now, grab the helper certificate:

wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Now you need to merge the files:

cat ssl.crt sub.class1.server.ca.pem > ssl.crt

In some configurations there is a bug, and this doesn't quite work properly. You may now need to edit ssl.crt, so:

nano /foo/bar/ssl.crt

You'll see two certificates in the same file. Halfway down, you may see:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

This is bad. You need to see:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

You can enter the carriage return manually if the bug is present on your system. Note there is a single carriage return for -----BEGIN CERTIFICATE----- to start on a new line. There is no empty line.

Now you need to tell Nginx about the certs.

In /etc/nginx/sites-available/foo.com.conf you need something like:

server {
listen 80;
listen 443 ssl;

listen [::]:80;

listen [::]:443 ipv6only=on ssl;

ssl_certificate /foo/bar/ssl.crt;

ssl_certificate_key /foo/bar/ssl.key;

...

Now, restart nginx:

/etc/init.d/nginx restart

And that's it.

For multiple domains, we have it easier than Apache users: Just repeat the above for each certificate, and keep it in it's own {server...} section.
When you are done, visit the test site [SSL Labs](https://www.ssllabs.com/ssltest/) to have them check if you succeeded.

Loading…
Cancel
Save