Jinsi ya Kusanidi HTTPS (Vyeti vya SSL) ili Kupata Kuingia kwa PhpMyAdmin
Ili kutambulisha kidokezo hiki, hebu tunuse trafiki ya HTTP kati ya mashine ya mteja na seva ya Debian 8 ambapo tumefanya kosa lisilo na hatia kuingia kwa kutumia vitambulisho vya mtumiaji wa hifadhidata katika makala yetu ya mwisho katika: Badilisha na Uhifadhi URL ya Kuingia ya PhpMyAdmin Chaguomsingi.
Kama tulivyotaja kwenye kidokezo kilichotangulia, usijaribu kufanya hivi bado ikiwa hutaki kufichua kitambulisho chako. Ili kuanza kunusa trafiki, tuliandika amri ifuatayo na kubonyeza Enter:
# tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20
Haitatuchukua muda mrefu kutambua kwamba jina la mtumiaji na nenosiri zimetumwa juu ya waya katika umbizo la maandishi wazi, kama unavyoweza kuona katika matokeo yaliyopunguzwa ya tcpdump kwenye picha iliyo hapa chini.
Tafadhali kumbuka kuwa tumeficha sehemu ya mzizi wa nenosiri na alama ya bluu juu yake:
Ili kuepuka hili, hebu tuhifadhi ukurasa wa kuingia na cheti. Ili kufanya hivyo, sasisha kifurushi cha mod_ssl kwenye usambazaji wa msingi wa CentOS.
# yum install mod_ssl
Ingawa tutatumia njia na majina ya Debian/Ubuntu, utaratibu ule ule ni halali kwa CentOS na RHEL ukibadilisha amri na njia zilizo hapa chini na linganishi za CentOS.
Unda saraka ili kuhifadhi ufunguo na cheti:
# mkdir /etc/apache2/ssl [On Debian/Ubuntu based systems] # mkdir /etc/httpd/ssl [On CentOS based systems]
Unda ufunguo na cheti:
----------- On Debian/Ubuntu based systems ----------- # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt ----------- On CentOS based systems ----------- # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
........................+++ .....................................................+++ writing new private key to '/etc/httpd/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Maharashtra Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:TecMint Organizational Unit Name (eg, section) []:TecMint Common Name (eg, your name or your server's hostname) []:TecMint Email Address []:[email
Ifuatayo, thibitisha ufunguo na cheti.
# cd /etc/apache2/ssl/ [On Debian/Ubuntu based systems] # cd /etc/httpd/ssl/ [On CentOS based systems] # ls -l total 8 -rw-r--r--. 1 root root 1424 Sep 7 15:19 apache.crt -rw-r--r--. 1 root root 1704 Sep 7 15:19 apache.key
Katika Debian/Ubuntu, hakikisha kwamba Apache inasikiliza kwenye bandari 443 kwa tovuti chaguo-msingi (/etc/apache2/sites-available/000-default.conf) na uongeze mistari 3 inayohusiana na SSL ndani ya tamko la VirtualHost:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Katika usambazaji wa msingi wa CentOS, mwambie Apache asikilize kwenye bandari 443 na utafute maagizo ya Sikiliza ndani /etc/httpd/conf/httpd.conf na uongeze mistari iliyo hapo juu chini yake.
SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key
Hifadhi mabadiliko, pakia moduli ya Apache ya SSL kwenye usambazaji wa Debian/Ubuntu (katika CentOS hii inapakiwa kiotomatiki uliposakinisha mod_ssl mapema):
# a2enmod ssl
Lazimisha phpmyadmin kutumia SSL, hakikisha kuwa laini ifuatayo iko kwenye faili ya /etc/phpmyadmin/config.inc.php au /etc/phpMyAdmin/config.inc.php:
$cfg['ForceSSL'] = true;
na uanze tena seva ya wavuti:
# systemctl restart apache2 [On Debian/Ubuntu based systems] # systemctl restart httpd [On Debian/Ubuntu based systems]
Kisha, zindua kivinjari chako cha wavuti na uandike https:// (jifunze jinsi ya kubadilisha URL ya kuingia ya PhpMyAdmin) kama inavyoonyeshwa hapa chini.
Muhimu: Tafadhali kumbuka kuwa inasema tu kwamba muunganisho si salama kwa sababu tunatumia cheti cha kujiandikisha. Bofya kwenye Advanced na uthibitishe ubaguzi wa usalama:
Baada ya kuthibitisha ubaguzi wa usalama, na kabla ya kuingia, wacha tuanze kunusa trafiki ya HTTP na HTTPS:
# tcpdump port http or port https -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20
Kisha ingia kwa kutumia vitambulisho sawa na hapo awali. Mvutaji wa trafiki atanasa tu upuuzi bora zaidi:
Ni hayo tu kwa sasa, katika makala inayofuata tutakushirikisha ili kuzuia ufikiaji wa PhpMyAdmin kwa kutumia jina la mtumiaji/nenosiri, hadi hapo endelea kuwa karibu na Tecmint.