Tag Archives: ssl

Lighttpd-powered WebDAVs server on Debian Squeeze

Posted on by
1

Here is a tiny article about how I used Lighttpd to serve content over WebDAV.

First, install the required packages:

$ aptitude install lighttpd-mod-webdav

As we want to provide a secure WebDAV access, we need to install OpenSSL:

$ aptitude install openssl

Then we create the file /etc/lighttpd/clear-creds.lst, that will contain credentials required for authentication, under the following form:

user1:password1
user2:password2
user3:password3

Logins and passwords are stored here in clear. This is stupid, but for this project I was looking to setup a quick and dirty server. For temporary tests this setup is OK, but I encourage you to switch to a better credential storage system.

Now I want to serve WebDAV content within a secure channel. A self-signed SSL certificate will be enough. Let’s generate one:

$ cd /etc/lighttpd/
$ openssl req -x509 -nodes -subj '/' -days 3650 -newkey rsa:2048 -keyout server.pem -out server.pem

We’ll configure Lighttpd by loading the default parameters of modules we use:

$ cd /etc/lighttpd/conf-enabled/
$ ln -s ../conf-available/05-auth.log
$ ln -s ../conf-available/10-ssl.conf
$ ln -s ../conf-available/10-webdav.conf

Now I create a custom configuration file:

$ touch /etc/lighttpd/conf-available/99-custom.conf
$ cd /etc/lighttpd/conf-enabled/
$ ln -s ../conf-available/99-custom.conf

Here is the content of that 99-custom.conf configuration file:

# Hide server version
server.tag = "lighttpd"

# Force all request to be in HTTPs
# This also redirects all WebDAV requests to WebDAVs
$HTTP["scheme"] == "http" {
  $HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1/$1" )
  }
}

# Valid credentials are required for any request
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/clear-creds.lst"
auth.require = (
  "/" => (
    "method" => "digest",
    "realm" => "My WebDAV server",
    "require" => "valid-user"
  )
)

# Enable WebDAV in read and write mode
webdav.activate = "enable"
webdav.is-readonly = "disable"

# Customize directory listings a bit
dir-listing.set-footer = "<a href='http://example.com'>Company</a>'s document repository."

And do not forget to restart the server:

$ /etc/init.d/lighttpd restart

As you can see in the screenshot above, you can now:

  • Browse the file system in read/write mode with a WebDAV client via a webdavs://12.34.56.78/ URL;
  • Access content in read-only mode with a browser by a classic https://12.34.56.78/ URL.

Setup a lightweight IMAP server on MacOS X Leopard with Dovecot

Posted on by
2

Last week I needed a local IMAP server on MacOS X Leopard (10.5) for temporary testing. After struggling with courier-imap for hours, I’ve finally settled on Dovecot. You’ll see below how easy it is to install and configure it.

We’re lucky, Dovecot is available in Mac Ports, so we can install it easily:

port install dovecot

It’s time to configure it. We start with the default configuration template:

cp /opt/local/etc/dovecot/dovecot-example.conf /opt/local/etc/dovecot/dovecot.conf

Then we can edit the dovecot.conf configuration file as we wish. FYI, here are my modifications:

--- /opt/local/etc/dovecot/dovecot-example.conf	2010-04-23 14:29:52.000000000 +0200
+++ /opt/local/etc/dovecot/dovecot.conf	2010-04-23 14:51:06.000000000 +0200
@@ -21,7 +21,7 @@

 # Protocols we want to be serving: imap imaps pop3 pop3s
 # If you only want to use dovecot-auth, you can set this to "none".
-#protocols = imap imaps
+protocols = imap

 # A space separated list of IP or host addresses where to listen in for
 # connections. "*" listens in all IPv4 interfaces. "[::]" listens in all IPv6
@@ -45,7 +45,7 @@
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
-#disable_plaintext_auth = yes
+disable_plaintext_auth = no

 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to "no" means that Dovecot can be upgraded without
@@ -221,7 +221,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-#mail_location =
+mail_location = maildir:~/Maildir

 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.

Before starting Dovecot, we have to create a dummy SSL certificate:

mkdir -p /opt/local/etc/ssl/{certs,private}
openssl req -new -x509 -days 3650 -nodes -out /opt/local/etc/ssl/certs/dovecot.pem -keyout /opt/local/etc/ssl/private/dovecot.pem

And finally, we can launch the Dovecot server itself as root:

dovecot

That’s all !

You can now access your local IMAP server with any client. Here is an example with Thunderbird:

And if you have problems, the first reflex is to read dovecot’s logs:

tail -F /var/log/mail.log

Web commands

Posted on by
4
  • Download a web page an all its requisites:
    wget -r -p -nc -nH --level=1 http://pypi.python.org/simple/python-ldap/
  • Create a PNG image of a rendered html page:
    kwebdesktop 1024 768 capture.png http://slashdot.org/
  • Search in all files malformed HTML entities (in this case non-breakable spaces that doesn’t end with a semicolon):
    grep -RIi --extended-regexp '&nbsp[^;]' ./
  • Here is a one-liner I use to ping some pages on internet to force our corporate proxy to refresh its internal cache:
    for EGG in BeautifulSoup PIL Plone; do wget --server-response -O /dev/null http://pypi.python.org/simple/$EGG/; done
  • Create a minimal self-signed unencrypted SSL certificate without issuer information and a validity period of 10 years:
    openssl req -x509 -nodes -subj '/' -days 3650 -newkey rsa:2048 -keyout self-signed.pem -out self-signed.pem
  • Create a pair of SSL self-signed certificate and (unencrypted) private key (source):
    openssl genrsa -out private.key 2048
openssl req -new -subj '/' -key private.key -out certreq.csr
openssl x509 -req -days 3650 -in certreq.csr -signkey private.key -out self-signed.pem
rm certreq.csr
  • View certificate details:
    openssl x509 -noout -text -in self-signed.pem

Google Apps’ video chat comes with secure Gmail sessions

Posted on by
2

The story was spread by all top tech blogs last week: Google’s Gmail now features a video chat. And it requires the installation of a dedicated plugin.

Alas, there is no such plugin for any other platform except “Windows XP and later” (according the official website) and Macs (as read on the official blog). So it’s a quite sad news for us Linux users. Indeed, I’m confident about a future seamless integration into the free software ecosystem, as the Gmail’s video chat is based on a stack of open (or soon-to-be, according the recent controversy) standards and protocols: XMPP/Jingle, h264/SVC & RTP.

Anyways, that’s not the main purpose of this post.

I just wanted to point out an update that was not reported by the news: as soon as it was officially made available for the public, the brand new video feature was released for Google Apps’ Gmail too.

Not only that, Google also backported to Apps’ Gmail the much awaited HTTPs option that allow you to force secure encryption of your sessions:

These two updates are quite interesting to note. I long as I remember (and I might be wrong), Google Apps components were always out-of-sync with their legacy equivalent. So this maybe a sign of change in a really good direction for Google Apps users ! :)