<<SNIP>

>> Hi,
>>
>> Using Ubuntu 10.04 LTS.
>>
>> I have an intranet server behind a NAT router. Very standard linksys
>> router home setup. The server has a static IP. I used port forwarding in
>> the router to use SSH and log into the server remotely - it works OK.
>>
>> I want no one outside my home network to access any webpages on the
>> server unless they're authenticated.. I know I could port forward like
>> with ssh but with http port 80 and then see webpages , but again this
>> would open it up to anyone with my cable modem's IP - wouldn't it?
>>
>> I need a secure way like SSH that requires a password before anyone
>> could access port 80 and http from the server from a remote network.
>>
>> How do I do this? And on the local network people can get served pages
>> normally as usual. Just remote would need authentication. Must be
>> commonly done(?)

Here's your Step X Step How to:

0) Configure DNS and URI port forwarding:

Setup a free DynDNS.org WebHop using something like https://leegold.homelinux.org which allows you to use custom URI forwarding with an alternate port so your friends don't have to use something horrible like https://198.23.22.13:8001/secret/index.htm.

1) Setup port forwarding:

Configure your router to port forward all port 8001 to port 443 on your local 192.168.n.n NAT network.

2) Configure your Authentication on Apache2:

On your Apache web server, add a .htaccess file to the subdirectory under your DocumentRoot (example= /var/www/htdocs/secret) for authentication following the Apache2 Howto:

:: hacked-up excerpt::

Authentication example

If you jumped directly to this part of the document to find out how to do authentication, it is important to note one thing. There is a common misconception that you are required to use .htaccess files in order to implement password authentication. This is not the case. Putting authentication directives in a <Directory> section, in your main server configuration file, is the preferred way to implement this, and .htaccess files should be used only if you don't have access to the main server configuration file. See above for a discussion of when you should and should not use .htaccess files.

Having said that, if you still think you need to use a .htaccess file, you may find that a configuration such as what follows may work for you.

You must have "AllowOverride AuthConfig" in effect for these directives to be honored.

.htaccess file contents:

AuthType Basic AuthName "Password Required" AuthUserFile /www/passwords/password.file AuthGroupFile /www/passwords/group.file Require Group admins

Note that AllowOverride AuthConfig must be in effect (in your httpd.conf or apache2.conf in /etc/apache2 or /etc/httpd [depending on your distro]) for these directives to have any effect.

Please see the authentication tutorial for a more complete discussion of authentication and authorization.
::end hacked up excerpt::
This should work like a charm for you.

NOTE: If you are currently only running a port 80 system, you can do this also via port 80 and not install https 443 with a self signed server signature, as that might confuse some people with browser warnings. Just substitute http for https in the first step and where we reference port 443, use port 80. Port 80 authentication behind a NAT network is probably not secure enough.

One word of warning: HTTP Basic Auth passwords pass in very nearly plain text over the network, and thus are extremely insecure.

https://help.ubuntu.com/10.04/serverguide/C/httpd.html
::excerpt::

HTTPS Configuration

The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

The mod_ssl module is available in apache2-common package. Execute the following command from a terminal prompt to enable the mod_ssl module:

sudo a2enmod ssl

There is a default HTTPS configuration file in /etc/apache2/sites-available/default-ssl. In order for Apache2 to provide HTTPS, a certificate and key file are also needed. The default HTTPS configuration will use a certificate and key generated by the ssl-cert package. They are good for testing, but the auto-generated certificate and key should be replaced by a certificate specific to the site or server. For information on generating a key and obtaining a certificate see the section called “Certificates”

To configure Apache2 for HTTPS, enter the following:

sudo a2ensite default-ssl


	The directories `/etc/ssl/certs` and `/etc/ssl/private` are the default locations. If you install the certificate and key in another directory make sure to change SSLCertificateFile and SSLCertificateKeyFile appropriately.

With Apache2 now configured for HTTPS, restart the service to enable the new settings:

sudo /etc/init.d/apache2 restart

::end excerpt::

Hints from experience: Do not use a passphrase for your self signed certificate, since you would have to add an additional step so you don't have to manually add that phrase everytime you restart your server.

SNIP

--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice

HomeSmartInternational.com

> On Thu, Jun 30, 2011 at 5:22 PM,<leegold@speedymail.org> wrote: