Securing AllMon on VKLink nodes

Uncategorized

By default the AllMon installation with VKNode is not encrypted.  What does this mean?  If you have your AllMon page publicly accessible, you are sending your admin username and password over the internet in plan text, in the open.  That’s bad.  Really bad.

This post will detail the steps required to secure your install so that all communication between your node and browser is encrypted.

Generate your SSL certificates

Let’s Encrypt is changing the world.  They offer free certificates with an amazing API that lets you easily automate the process of generation and renewal.

I use the acme.sh script to generate my keys.  Have a look at their documentation for how to generate keys in your scenario.  Because I don’t use port 80 or 443, I have use challenge TXT DNS records.

To start, install acme.sh.

curl https://get.acme.sh <span class="pl-k">|</span> sh

Now generate a certificate.  Your use will no doubt be different.  Check the docco.

.acme.sh/acme.sh --issue --dns dns_dreamhost -d domainname.com

Your certificates will be created and installed to

  • .acme.sh/domainname.com/domainname.com.key
  • .acme.sh/domainname.com/domainname.com.cer

Installing the certificates

We now need to concatenate the key and certificate into a single .pem file and install in the lighttpd (the installed http server) config folder.

sudo cat .acme.sh/domainname.com/domainname.com.key .acme.sh/domainname.com/domainname.com.cer /etc/lighttpd/domainname.com.pem

**At this point you should create a script to generate and install the certificate, and add it as a daily cron job.  That way when your certificate is close to expiry, it will automatically renew and install.  If you’d like an example, I have my script saved to GitHub.

Update lighttpd config

Add the following lines the the bottom of your /etc/lighttpd/lighttpd.conf

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/domainname.com.pem"
}

Restart lighttpd

sudo /etc/init.d/lighttpd restart

Update AllMon files

While you can now connect to AllMon with https, it won’t show as secure as several of the files are hard coded as http.   We’ll need to change them.

Downloading remote files

For some inexplicable reason, the background image, logo and style-sheets are hosted on vklink.com.au.  As that server doesn’t support https (tut tut), we’ll need to download them locally.

cd /var/www
sudo mkdir css
sudo mkdir images
cd css
sudo wget http://vklink.com.au/css/allmon.css
cd ../images
sudo wget http://vklink.com.au/manual/images/vklinklogo.png
sudo wget http://vklink.com.au/images/bg.png

Change AllMon source files

We need to update source files to point to the correct files.

#change for files that are now local
sudo sed -i -e 's/http:\/\/vklink\.com\.au\///g' /var/www/header.php
sudo sed -i -e 's/http:\/\/vklink\.com\.au/../g' /var/www/css/allmon.css

#change http to https for remote files
sudo sed -i -e 's/http/https/g' /var/www/header.php

Leave a Reply

Your email address will not be published. Required fields are marked *