How to use and force SSL with CodeIgniter PHP Framework in Ubuntu running Apache 2

These instructions explain how you can have CodeIgniter (or any other php framework) load certain pages using ssl.

Using this setup, you can allow visitors to visit a site at http://www.yoursite.com/ using standard non-SSL pages, and automatically force SSL when a visitor loads a controller such as http://www.yoursite.com/SSLFOLDER

SSLFOLDER will always load using SSL, regardless of whether https:// was used or not when calling the controller.

Here are the instructions I used under Ubuntu 10.04

Step 1: Create Self-Signed SSL Certificate

I used the steps outlined here: 

https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html

Summary

Go to the home directory by executing the following command:

cd ~

Generate the keys for the Certificate Signing Request (CSR) by running the following command:

openssl genrsa -des3 -out server.key 2048

Enter an 8+ character passphrase when prompted.

Create the Certificate Signing Request (CSR) using the following command:

openssl req -new -key server.key -out server.csr

OPTION 1: If you are actually going to be in production, then at this point you would submit the CSR to an online certificate authority (CA) for processing. Then you would continue using the CRT file received from the CA.

OPTION 2: For non-production environments, you can create the self-signed certificate using the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

 Then copy the certificate and key to their corresponding folders:

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Step 2: Edit Apache 2 configuration files (Ubuntu)

Edit /etc/apache2/sites-enabled/000-default

Insert the following outside of the <VirtualHost *:80></VirtualHost>  tags

The top of the file works.

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        DocumentRoot /var/www
</VirtualHost>

Step 3: Enable the SSL module in Apache 2

Enable the SSL module in Apache 2 by running the following command:

a2enmod ssl

Step 4: Restart Apache 2 Web Server

Run this command from the command line:

sudo /etc/init.d/apache2 restart

Enter the passphrase you previously chose when generating the CSR 

CodeIgniter Related Steps

I found a useful post on configuring CodeIgniter to always redirect protected pages to the SSL site.

The post is located here: http://stackoverflow.com/questions/1500527/how-to-use-ssl-with-codeigniter

I chose Option 1 and did the following:

Edit the file /system/application/config/config.php, and set the base_url to the non-ssl site as follows:

$config['base_url'] = "http://www.yoursite.com/";

Then edit /etc/apache2/sites-enabled/000-default and under the <VirtualHost *:80> tag enter the following for each folder you'd like to protect with SSL

RedirectPermanent /sslfolder https://www.yoursite.com/sslfolder

NOTE: Omit the trailing slash after sslfolder 

That's it, now restart Apache using Step 4 instructions and visit http://www.yoursite.com/sslfolder

You should see that sslfolder is now shown using SSL

If you see SSL errors stating an invalid certificate its because you're using a SELF-SIGNED certificate. This is fine for testing, but for production you'll need to get a CRT file by buying one from an online Certificate Authority.

HINT: Try GoDaddy and use one of their online coupons for a discount.

Visit one of my sponsors:

Change Ubuntu Server from DHCP to a Static IP Address

Ever need to quickly assign a static IP to your new Ubuntu server installation? Here's an article that explains how to do it.

If the Ubuntu Server installer has set your server to use DHCP, you will want to change it to a static IP address so that people can actually use it.

Changing this setting without a GUI will require some text editing, but that’s classic linux, right?

Let’s open up the /etc/network/interfaces file. I’m going to use vi, but you can choose a different editor

sudo vi /etc/network/interfaces

For the primary interface, which is usually eth0, you will see these lines:

auto eth0
iface eth0 inet dhcp

As you can see, it’s using DHCP right now. We are going to change dhcp to static, and then there are a number of options that should be added below it. Obviously you’d customize this to your network.

auto eth0
iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

Now we’ll need to add in the DNS settings by editing the resolv.conf file:

sudo vi /etc/resolv.conf

On the line ‘name server xxx.xxx.xxx.xxx’ replace the x with the IP of your name server. (You can do ifconfig /all to find out what they are)

You need to also remove the dhcp client for this to stick (thanks to Peter for noticing). You might need to remove dhcp-client3 instead.

sudo apt-get remove dhcp-client

Now we’ll just need to restart the networking components:

sudo /etc/init.d/networking restart

Ping www.google.com. If you get a response, name resolution is working(unless of course if google is in your hosts file).

Really pretty simple.

Source: http://www.howtogeek.com/howto/ubuntu/change-ubuntu-server-from-dhcp-to-a-static-ip-address/

How to shrink a large modellog.ldf file

Problem: My disk space is full on my server.  My SQL Server modellog.ldf is over 8 GB each and growing exponentially.  What should I do?


First try to figure out what's using the log file:


use [model]
select (sum(size) * (8192/1024)) / 1024 from dbo.sysfiles WHERE (status & 0x40) <> 0
DBCC SQLPERF(LOGSPACE)
select ceiling((sum(size) * (8192.0/1024.0)) / 1024.0) from dbo.sysfiles
exec sp_spaceused
DBCC SQLPERF(LOGSPACE)


It is very unusual that the model database data or log files would grow at all.  The database is normally used only as a template for creating new databases.  Make sure you don't have any renegade applications using the database.


To simply shrink the file, do the following:


You may need to back up the transaction log before shrinking. 
Then backup log again with the truncate only option i.e

BACKUP LOG MODEL WITH TRUNCATE_ONLY


Then you can run the database shrink command :


ALTER DATABASE model SET RECOVERY SIMPLE
GO
USE model
GO
DBCC SHRINKFILE('modellog', 2)
GO

Firewall ports needed for proper Zimbra email server operation.

The following TCP ports need to be open in order for Zimbra to work properly:

POP3 - port 110

IMAP - port 143

SMTP - port 25

HTTP - port 80

HTTPS - port 443 

Secure SMTP (SSMTP) - port 465

Secure IMAP (IMAP4-SSL) - port 585

IMAP4 over SSL (IMAPS) - port 993 - NECESSARY FOR iPHONE CONNECTIVITY

Secure POP3 (SSL-POP) - port 995

Installing $12.99 GoDaddy SSL Certificate on Zimbra versions 5 and 6

This is the only way I managed to install a Standard $12.99 SSL Certificate onto Zimbra 6.0.6

STEP 1: Generate CSR (SSL Certificate Signing Request) and get it signed by GoDaddy.

1) Log into Zimbra's Administration Console - Usually done by logging into https://yourhost.yourdomain.com:7071/zimbraAdmin/

2) On the left hand side, under Tools, click "Certificates"

3) Click on Install Certificate

4) Select your Server Name - hit next

5) Choose "Generate CSR for the commercial certificate authority" - hit next

6) Choose a 2048 bit size, and fill out the form using the following guide:

General CSR Creation Guidelines

Before you can order your SSL Certificates, you must first generate a CSR (Certificate Signing Request) on your server. A CSR is an encrypted body of text. Your CSR will contain encoded information specific to your company and domain name; this information is known as a Distinguished Name or DN.

In the DN for most servers are the following fields: Country, State (or Province), Locality (or City), Organization, Organizational Unit, and Common Name. 

Please note:

The Country is a two-digit code -- for the United States, it's 'US'. For countries outside of the United States, see our listing of SSL Certificate Country Codes.

State and Locality are full names, i.e. 'California', 'Los Angeles'.

The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.

The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.

The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate.

If you are generating a CSR for a Wildcard Certificate your common name must start with *. (for example: *.domain.com). The wildcard character (*) will be able to assume any name that does not have a "dot" character in it.

Once your CSR is created, you will be able to simply copy and paste it into the online order form.

7) Hit next, and wait for the CSR to be generated.

8) Before hitting Finish, click on "Download CSR" to save the file to your computer.

9) Go to GoDaddy.com and start the SSL creation process using their wizard.

10) Once you're at the step where you're asked for the CSR file. Open the previously downloaded file using a text editor, and copy EVERYTHING INCLUDING: -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----

11) Now paste the CSR to GoDaddy making sure you chose 2048-bit from the GoDaddy wizard.

12) Finish the GoDaddy certificate creation process, making sure that the information you enter matches what you used to create the CSR.

13) Download the certificate from GoDaddy for Apache.

STEP 2: Installing the certificate in Zimbra

1) Log into Zimbra's Administration Console - Usually done by logging into https://yourhost.yourdomain.com:7071/zimbraAdmin/

2) On the left hand side, under Tools, click "Certificates"

3) Click on Install Certificate

4) Select your Server Name - hit next

5) Select "Install the commercially signed certificate" - hit next twice

6) Visit https://certs.godaddy.com/anonymous/repository.seam and download gd-class2-root.crt

7) Now attach the files as follows:

Certificate : here you attach the generated certificate, of the form host.yourdomain.com.crt
Root CA: here you attach the file you downloaded in step 6. gd-class2-root.crt
Intermediate CA: Here you attach the 'bundled' file that came with your certificate.

8) Hit Next, and then Finish.

9) Here you might receive an error, and things won't work.

STEP 3: Troubleshooting

1) Copy your gd-class2-root.crt to /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

Then follow the steps below:

1. At this point, the csr and the private key should have been created by Zimbra in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
2. Make sure the permissions are set to 740 root:root (you can skip this step, I did)
3. Make a new directory, ex: /root/certs
4. Place the singed cert and the bundle cert in /root/certs (these are the files you downloaded from GoDaddy) 
5. Verify that the cert and the key match via these commands (run as root)
   
   cd /root/certs
   
   /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./ ./ 
   
6. If the output looks good, you can deploy the certificate via this command:
   
   /opt/zimbra/bin/zmcertmgr deploycrt comm ./ ./
   
7. The final step would be to restart the zimbra services for the change to take effect (see the end of this post) 

IF step 7 gives you errors such as "logger service cannot start" or "ldap service" can't start.

Then you need to do the following:

The commercial certs were deployed fine. However you must also as ROOT run:

/opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt

Finally, restart your services by

1) su root

2) su zimbra

3) zmcontrol stop

4) zmcontrol start

Microsoft: Internet Explorer warning issued on January 14th, 2010

Internet Explorer 8 works fairly well, but Internet Explorer has never been safe to use. This new security warning by Microsoft should be an awakening for many of us in the business world that still rely on IE for our daily operations. Is it time to switch to Google Chrome or Firefox and give up the patching game that Microsoft has us playing day in and day out. If you’re still using Internet Explorer, read the following alert issued by Microsoft on January 14th, 2010 and decide what you want to run on your business machines:

 

The following text comes from: http://www.microsoft.com/technet/security/advisory/979352.mspx – Please visit the site for all the details.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if the situation changes. On completion of this investigation, Microsoft will take appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Alternative browsers:

Download Google Chrome here: http://chrome.google.com

Download Mozilla Firefox here: http://www.getfirefox.com

Download Opera here: http://www.opera.com

How to install applications for use with Terminal Server?

Installing applications on a terminal server is done slightly differently than typical installation in order to ensure that all permissions are properly set and the application is usable by all terminal services users.

There are two modes in terminal server, Execute and Install. By default all users are logged on in Execute mode and this means they can run programs etc. When you want to install an Application for use by everyone the Administrator should change to Install mode.

The best way to install software is to use the Add/Remove programs control panel applet as this will automatically set the mode to Install during the installation and then back to Execute at the end. Alternatively you can manually change your mode to install by typing

C:\> change user /install

To change back to execute use

C:\> change user /execute

And to check you current mode use

C:\> change user /query

In this example we will use Add/Remove to install Winzip on a terminal server.

1. Start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove Programs)
2. Select the 'Install/Uninstall' tab and click 'Install'
3. You will be told to insert the setup media, click Next
4. The installation wizard will look for setup.exe on the CD or disk, it won't find it, select an alternate by clicking the 'Browse' button, and select the winzip.exe file. Click Next
5. You will now be given the option to change your mode so all users can use the application. Select 'All users begin with common application settings.' and click Next
6. The install of the application will begin and you will notice your mode has been changed to Install if you typed 'change user /query'.
7. Proceed to install the application as normal
8. Once setup is complete click Next to the install dialog then Finish

All terminal server users will now have Winzip. An alternative would be to manually set the mode to install, install the software and set back to execute.