Linux Admin Zone

In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication using LDAP so that authentication become more seamless and avoid any sort of manual work for managing access when you have LDAP for authenticating users.

Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:

$ httpd -M 
..
 ldap_module (shared)
 authnz_ldap_module (shared)
..

As per the official definition, Git is a free & open source, distributed version control system designed to handle everything from small to very large projects with speed and efficiency. I am describing here steps which I followed to setup a Git server along with Gitolite, Gitweb, ssh and http auth in RHEL5 machine. I have done the installations using RPMs (lazy men’s method) which I got from here: http://pkgs.repoforge.org/git/

Step 1: Download the required RPMs or install using source

Here are the RPMs I downloaded from source mentioned above (of course, download the latest version of these RPMs when you wants to do installation):

This is second part of article to describe how to dynamically manage Apache Virtual host. You can read first article here.

In earlier article I mentioned using a php script to dynamically create/remove virtualhost entry in Apache (httpd) config file and then reload it using cron.

Here I would describe how to manage DNS to dynamically recognize newly created virtualhosts. Again, this might not be the best or efficient way to implement this but this is what worked for me. After creating virtualhosts in Apache, you need to update DNS so that new virtualhosts start working. To update DNS dynamically, your DNS provider should have some way (like API) which enable you to manipulate its records. There are few providers offering this facility. For this experiment, I selected DNSMadeEasy which provides APIs to add/remove/update records on fly using scripts.

There’s situation with my friend where his team wanted to dynamically create/remove virtual hosts or subdomains using php. This can be achieved in several ways. You can use a control panel which obviously use resources or develop your own script to do this. There’s security aspects attached with script because it needs to update file which is read by Apache and to apply settings, you need to reload Apache. Here I am describing how my friend achieved their goal, again I’m saying that this might not be the best way to do this thing and may be comparatively insecure or inefficient but this is what worked for them in Ubuntu host.

To tighten security or again to pass PCI test, you can disable weak SSL cipher. Let’s do it in a host running lighttpd web server in CentOS Linux.

Normally, you get message like this for this issue:

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
 
Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)

Let’s disable these weak cipher’s now:

Update config file to add or modify following lines. After addition/editing, lines should look like this:

$ vi /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

make sure that you have to put these lines in any blocks/vhosts etc. also because these are global options and if you not put these in vhosts blocks, then they will not be effective.