Secure outside access to orbiter - HTTPS or VPN?

[purps]

Hello all,

I've read various threads about secure outside access, which have lead me to the following two wiki pages...
http://wiki.linuxmce.org/index.php/HTTPS
http://wiki.linuxmce.org/index.php/VPN

...is there a better one to use? Which is easiest to set up?

Cheers,
Matt.

[merkur2k]

https is going to be more compatible with more devices (thinking mobile phones and such here) but vpn is more secure.
for the current incarnation of the touch orbiter a vpn will be easier since each proxy orbiter uses its own port, but this is stuff that we are thinking about and will be addressing.

[purps]

Thanks for the reply!

I'm talking specifically about using the web orbiter from my phone (by pointing my browser towards  http://<core_wan_ip>/lmce-admin/weborbiter.php) when I'm away from home. So HTTPS then? Is the HTTPS wiki page still relevant? http://wiki.linuxmce.org/index.php/HTTPS

[merkur2k]

probably, though it will most likely get reverted with updates and need to be reapplied in part or whole.

[purps]

OK cool, thanks.

On the wiki...

"We start by creating a new password file (-c option) and adding a user (linux) with a password (test) to the password file:

Code: [Select]

htpasswd -bc /etc/apache2/httpd.passwd linuxmce test"

In the above example, is linuxmce supposed to be the username? Is this the username and password that I installed kubuntu with, or the LMCE user name? Or can it be something else completely?

Cheers,
Matt.

[pw44]

This will bring you a pop up asking for user name name and password and after validated you gain access to the webpage.
The user and password can be as you choose and are not related with linux or linuxmce usernames and passwords.

[purps]

That's good to know, thank you.

The only other part that is confusing me (for) now is...

"Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one)."

...would the IP be 192.168.80.1, or the external one? Or is it as simple as just writing "dcerouter" for "Common Name (eg, YOUR name)"?

And how does this fit into "ServerName linuxmce.yourdomain.com"? I don't understand the difference between "ServerName" and "yourdomain".

Cheers,
Matt.

[pw44]

"Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one)."

This is for your SSL certificate. If your box have the FQDN purps.homeunix.org, i.e, then you will define the Common name as purps.homeunix.org. You will also need to enable incoming requests on port 443 or another one you choose for https protocol listening.

...would the IP be 192.168.80.1, or the external one? Or is it as simple as just writing "dcerouter" for "Common Name (eg, YOUR name)"?

External. You will have the external access, so the SSL certificate common name will match your outside FQDN, defined by your ISP  or the one you have from a DDNS service.

And how does this fit into "ServerName linuxmce.yourdomain.com"? I don't understand the difference between "ServerName" and "yourdomain".

Your https server also needs to know its FQDN name.
In yout httpd.conf file, insert the following entry: ServerName purps.homeunix.org (if this is your FQDN), and restart your apache.

Paulo

[purps]

OK, I think I am with you so far, I appreciate your help.

How do I go about finding out my FQDN? I haven't fiddled with anything network related, internal or external, everything is standard/default.

[wierdbeard65]

Hi Purps,

Your FQDN is whatever you type into your browser to hit your webpage, so it's probably set up with either your ISP (if you have a fixed IP address) or with a dynamic DNS provider of some kind.

In essance, when you go to a webpage using SSL (https), the webpage sends some information, called a certificate, to "prove" who it is. The name on the certificate needs to match what you entered into the browser otherwise you get a warning about certificates and, depending on the browser, you may not be able to proceed (some browsers allow you to ignore certificate errors).

This is to prevent websites spoofing each other and is designed to protect Joe Public from, amongst other things, internet scams.

When I hit a page like "www.mybank.com", if the certificate says "www.scambank.com" then the browser will complain and warn me. When you set up a website, you obtain a certificate from someone called a certificate authority (like Varisign) who confirm that you are who you say you are. If you create your own certificate (known as self-signing) then you get a warning (from your browser) that the certificate cannot be checked (a different error!).

If you are interested in the whole process, I can recmmend a book called "The Code Book" by Simon Singh, who explains it all VERY clearly!


I hope this helps.

[purps]

Thanks for the reply.

Your FQDN is whatever you type into your browser to hit your webpage, so it's probably set up with either your ISP (if you have a fixed IP address) or with a dynamic DNS provider of some kind.

Well the web page in question is the web orbiter, so "http://<core_wan_ip>/LinuxMCE-admin/weborbiter.php" is the FQDN? That doesn't appear to be in the same "format" that Paulo was talking about, which was "purps.homeunix.org" (but I assume this is just an example).

Or have I got the wrong end of the stick completely?

Cheers,
Matt.

[wierdbeard65]

Well, I've never tried using an IP address as a Certificate subject. but I don't see why it wouldn't work. - The quote from the Wiki would certainly suggest so!

Most people use DNS for one of two reasons...

1) It's just easier to remember.
2) You can change the IP address without having to change your links (or in this case, your certificate).

If you have a fixed IP, then 2) won't be an issue for you, if not then I suggest you explore one of the Dynamic DNS services out there. I have used DynDNS in the past, I'm guessing homeunix.org is another.

[purps]

I am beginning to think that I have missed something here, namely getting DNS sorted - is this not part of my normal, default LMCE installation then? Do I have to register with DynDNS or homeunix.org before I do anything else?

I do know that I am not using a static IP.

[wierdbeard65]

AFAIK no, MCE does not do this for you.

Most people don't need a DNS entry for home systems (LinuxMCE or otherwise) because most people don't want inbound access from outside.

If you are running servers that you want to see from outside (in your case a webserver) then you need to set up the ability to find your server from an outside location.

If your IP keeps changing (which it might if you don't have one staticlly assigned) then you need to set up a Dynamic DNS service. They are easy to use and usually free

Just Google "Dynamic DNS".....

[merkur2k]

yes, if you want to use a hostname then you need to register with one of those dynamic dns providers.
note that there is no hard rule that the fqdn in the cert matches the address you type in, you will just get a warning in the browser if it doesnt.