Difference between pages "Web-server-stack" and "Package:OpenSSL"

From Funtoo
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
{{Ebuild
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
|CatPkg=dev-libs/openssl
|Homepage=http://www.openssl.org
}}
{{PageNeedsUpdates}}
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}


== Pre-install considerations ==
=== Installation ===
=== ssl ===
{{console|body=###i## emerge dev-libs/openssl}}
Ssl [http://en.wikipedia.org/wiki/Wildcard_certificate wild card certificates] can use the same certificate to cover several subdomain names.  As in https://wiki.funtoo.org https://www.funtoo.org https://forums.funtoo.org can all use the same certificate.  https://funtoo.org would not be covered under the wildcard, so [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) suggests using http://domain.tld as a http navigation splash page directory.  All that is required to setup a ca signed ssl certificate is an email on the server.  https://www.startssl.com offers free ssl ca certificates, though there are several other certificate [http://en.wikipedia.org/wiki/Certificate_authority#Providers providers].  Many web apps require you set your URL & will have problems if your URL is set to http://, rather than https://


=== sockets vs tcp stack ===
=== Usage ===
Sockets have less overhead but can not be shared across jails, or to other machinesTcp stack has more overhead but is far more flexible.
ssl uses several certificates with differing coverage, and use casesCertificates are obtained by 3rd party sites.  go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.


=== Email Servers ===
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.
* {{Package|mail-mta/postfix}}  <-- suggested
* {{Package|mail-mta/ssmtp}}
* {{Package|mail-mta/exim}}
* {{Package|mail-mta/sendmail}}
* {{Package|mail-mta/nullmailer}}


=== FTP Servers ===
==== Self Signed Certificates ====
It is common practice to use FTP servers to host files for downloading.
Free:
Self signed certificates are free, self made, quick, easy to setup, and insecure.  They are great for lab experiments, and testing out new technologies that you're not familiar with.


* {{Package|net-ftp/vsftpd}} <-- suggested
==== Free Certificates ====
* {{Package|net-ftp/proftpd}}
Free:  (with restrictions)
* {{Package|net-ftp/pure-ftpd}}
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that.  However, for personal sites, you can't beat the cost.
* {{Package|net-ftp/qshare}}


== Webserver ==
==== Single Domain Certificates ====
Web servers come in several varieties.  The most common stack is known as LAMP which stands for linux apache mysql php.  [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) suggests setting up the web server stack by selecting the database first, then scripting language second, and web server 3rd.
Generally $10/yr:
Single domain certificates are probably the cheapest ssl certificate you will find on the web.  This certificate does not cover subdomains.


=== Databases ===
==== Unified Communications Certificate ====
* {{Package|dev-db/mysql}}
Generally $300/yr
This certificate is meant for small businesses.  This type of certificate will generally cover 20-30 domains, sites, or subdomains.


mariadb is a drop in replacement for mysql
==== Wildcard Certificates ====
* {{Package|dev-db/mariadb}} <-- suggested
Generally $300/yr
Wildcard certificates are expensive, however they cover every subdomain name you add.


percona is a drop in replacement for mysql
==== Other Misc Certs ====
* {{Package|dev-db/percona-server}}
*domain validated SSL Certificates
*organization validated SSL Certificates
*Extended Validation SSL Certificates


* {{Package|dev-db/postgresql-server}}
=== Using SSL With Nginx or Tengine ===
* {{Package|dev-db/sqlite}}
See this page:  [[HOWTO:WebServer_SSL]]


=== Languages ===
=== External Resources ===
* {{Package|dev-lang/php}} <-- suggested
https://wiki.archlinux.org/index.php/OpenSSL
* {{Package|dev-lang/perl}}
{{EbuildFooter}}
* {{Package|dev-lang/python}}
 
=== Web Servers ===
* {{Package|www-servers/apache}}
* {{Package|www-servers/cherokee}}
* {{Package|www-servers/nginx}} <-- suggested
* {{Package|www-servers/tengine}}
* {{Package|www-servers/lighttpd}}
 
 
=== SSL Termination, Reverse Proxies, & load balancing ===
Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server.  Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in.
 
* {{Package|www-servers/nginx}}
* {{package|net-misc/stunnel}}
* {{package|www-servers/pound}} <-- suggested for ssl termination & load balancing
* {{Package|www-servers/varnish}} <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages
* {{Package|net-proxy/squid}}
 
== Post install ==
There are several considerations to take into account with a web server install, such as setting up an email server, setting up a firewall, firewalling web applications, and dynamically firewalling attackers.
 
=== Firewalls ===
* {{Package|net-firewall/nftables}}
* {{Package|net-firewall/iptables}} <-- suggested
* {{Package|net-firewall/firewalld}}
* {{Package|net-firewall/ufw}}
 
=== Dynamic Firewalling ===
* {{Package|app-admin/sshguard}} <-- suggested
* {{Package|net-analyzer/fail2ban}}
 
=== Webapp Firewalls ===
 
Apache has an option for webapplication firewalling.  as far as [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) can tell this passes login errors & excessive site fuzzing to logs for fail2ban/sshguard to deal with.
https://github.com/nbs-system/naxsi is a web app firewall for nginx.
 
=== Benchmarking ===
It's a good idea to benchmark your system, server, & websites.  There are several tools to assist you in doing this.
 
* http://toolbar.netcraft.com/site_report?url=undefined#last_reboot
* http://gtmetrix.com/
* http://www.showslow.com/
* http://yslow.org/
* http://getfirebug.com/
* {{Package|app-admin/apache-tools}}
* {{Package|app-benchmarks/sysbench}}
* {{Package|app-benchmarks/phoronix-test-suite}}
* {{Package|app-benchmarks/iozone}}
* {{Package|app-benchmarks/piozone}}
* {{Package|app-benchmarks/siege}}
* {{Package|app-benchmarks/ramspeed}}
* {{Package|app-benchmarks/jmeter}}

Latest revision as of 05:58, July 9, 2015

OpenSSL

   Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with net-misc/openssh, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

   Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

root # emerge dev-libs/openssl

Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL


Retrieved from "https://www.funtoo.org/index.php?title=Web-server-stack&oldid=10769"