1. Web server (Apache) SSL conversion
The ports can be further updated with FreeBSD's periodic job settings.
Install certbot via pkg, and include a plugin for apache to update in webroot mode.
1.1 Installing the Certbot tool for Let's Encrypt
Run the following command to install the Certbot package and the Apache HTTP plug-in
|
1 |
# pkg install py39-certbot py39-certbot-apache |
1.2 Apache Configuration File Editing
①Enable mod_ssl module
https port added
|
1 2 3 4 5 6 7 8 9 10 |
# vi /usr/local/etc/apache24/httpd.conf Per Line52 : Add Listen 443 Per Line92 : Uncomment LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so Per Line148 : Uncomment LoadModule ssl_module libexec/apache24/mod_ssl.so |
1.3 Enable Rewrite module
Necessary to change URL when redirecting from HTTP to HTTPS
|
1 2 3 4 |
# vi /usr/local/etc/apache24/httpd.conf Per Line 181 : Uncomment LoadModule rewrite_module libexec/apache24/mod_rewrite.so |
Apache24 restart
|
1 |
# service apache24 restart |
1.4 Obtaining a Let's Encrypt Certificate
①As with FreeBSD13.2, I tried to get it with the following command, but I got the following error and it would not load the ssl module, so I had no choice but to use the method ➁.
Unable to read ssl_module file; not disabling session tickets.
|
1 |
# certbot --apache -d [FQDN] |
➁To obtain a certificate covering only a single domain [FQDN], execute the following certbot command
This time we will use the --standalone option, so we will stop apache once.
|
1 |
# service apache24 stop |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# certbot certonly --standalone -d [FQDN] Saving debug log to /var/log/letsencrypt/letsencrypt.log Unable to read ssl_module file; not disabling session tickets. Requesting a certificate for [FQDN] Successfully received certificate. Certificate is saved at: /usr/local/etc/letsencrypt/live/[FQDN]/fullchain.pem Key is saved at: /usr/local/etc/letsencrypt/live/[FQDN]/privkey.pem This certificate expires on 2024-02-16. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
apache24 start
|
1 |
# service apache24 start |
1.5 Editing the Apache Configuration File
①/usr/local/etc/apache24/extra/httpd-ssl.conf Editing
Copy httpd-ssl.conf and create bsd-httpd-ssl.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# cp /usr/local/etc/apache24/extra/httpd-ssl.conf /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf # vi /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf Line 36 : comment #Listen 443 From line 121. <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/usr/local/www/apache24/data/[FQDN]" ServerName [FQDN]:443 ServerAdmin [mail address] ErrorLog "/var/log/httpd-error.log" TransferLog "/var/log/httpd-access.log" CustomLog "/var/log/httpd/httpd-ssl-access.log" combined #SSLCertificateFile "/usr/local/etc/apache24/server.crt" SSLCertificateFile "/usr/local/etc/letsencrypt/live/[FQDN]/fullchain.pem" #SSLCertificateKeyFile "/usr/local/etc/apache24/server.key" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/[FQDN]/privkey.pem" #SSLCertificateChainFile "/usr/local/etc/apache24/server-ca.crt" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/[FQDN]/chain.pem" #CustomLog "/var/log/httpd-ssl_request.log" \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> |
➁Create a symbolic link for Apache to read bsd-httpd-ssl.conf
Include the *.conf file in the Includes directory
|
1 |
# ln -s /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf /usr/local/etc/apache24/Includes/bsd-httpd-ssl.conf |
1.6 Redirect HTTP communications to HTTPS
Create a new [.htaccess] file under [/usr/local/www/apache24/data/[FQDN]].
|
1 2 3 |
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
2. Webmin Install
Webmin is a web browser-based tool for configuring Unix-like operating systems (OS) such as Linux. It allows users to make numerous changes to internal OS settings such as user and disk usage limits, services, configuration files, etc., and to modify and control many open source applications such as Apache, PHP, MySQL, and others.
Webmin is built primarily in Perl and runs as its own process and web server. By default, it communicates on TCP port 10000.
2.1 Install
No options
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# cd /usr/ports/sysutils/webmin/ # make install clean ===> Installing for webmin-2.013 ===> Checking if webmin is already installed ===> Registering installation for webmin-2.013 Installing webmin-2.013... After installing Webmin for the first time you should perform the following steps as root: * Configure Webmin by running /usr/local/lib/webmin/setup.sh * Add webmin_enable="YES" to your /etc/rc.conf * Start Webmin for the first time by running "service webmin start" The parameters requested by setup.sh may then be changed from within Webmin itself. ===> Cleaning for p5-Authen-PAM-0.16_2 ===> Cleaning for p5-IO-Tty-1.17 ===> Cleaning for webmin-2.013 |
2.2 setup
Logged-in user ; admin
Password ; Any(hyu6kon)
Others default to Enter
Initial setup.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# /usr/local/lib/webmin/setup.sh *********************************************************************** Welcome to the Webmin setup script, version 2.013 *********************************************************************** Webmin is a web-based interface that allows Unix-like operating systems and common Unix services to be easily administered. Installing Webmin in /usr/local/lib/webmin *********************************************************************** Webmin uses separate directories for configuration files and log files. Unless you want to run multiple versions of Webmin at the same time you can just accept the defaults. Config file directory [/usr/local/etc/webmin]: Log file directory [/var/db/webmin]: *********************************************************************** Webmin is written entirely in Perl. Please enter the full path to the Perl 5 interpreter on your system. Full path to perl (default /usr/local/bin/perl): Testing Perl .. .. done *********************************************************************** Operating system name: FreeBSD Operating system version: 14.0 *********************************************************************** Webmin uses its own password protected web server to provide access to the administration programs. The setup script needs to know : - What port to run the web server on. There must not be another web server already using this port. - The login name required to access the web server. - The password required to access the web server. - If the web server should use SSL (if your system supports it). - Whether to start webmin at boot time. Web server port (default 10000): Login name (default admin): admin ←Logged in user Login password: ←password Password again: ←password again Use SSL (y/n): y ←yes *********************************************************************** Creating web server config files .. .. done Creating access control file .. .. done Creating start and stop init scripts .. .. done Creating start and stop init symlinks to scripts .. .. done Copying config files .. .. done Changing ownership and permissions .. .. done Running postinstall scripts .. .. done Enabling background status collection .. .. done |
2.3 Edit /etc/rc.conf
|
1 2 |
# sysrc webmin_enable=YES webmin_enable: -> YES |
Webmin logs are
/var/log/webmin/miniserv.error
/var/log/webmin/miniserv.log
2.4 Start
The startup script is /usr/local/etc/rc.d/webmin
|
1 2 3 |
# service webmin start Starting webmin. Starting Webmin server in /usr/local/lib/webmin |
2.5 Login
Open port 10000 on the Firewall in advance.
Router needs to be changed if connecting from outside
With a browser
Access https://<server domain> or <IP address>:10000/ to display the login screen.
Log in with the user and password you have set.
Webmin main screen
Click [Webmin] - [Change Language and Theme] in the left menu, and change to Japanese from [Personal choice] in the right pane.
The menu has been changed to Japanese.
