Multiple SSL Certificates on a Single IP Using Nginx

SNI ( Server Name Identification) allows you to host multiple SSL certificates on a single IP address. Although, hosting several sites on a single virtual private server is possible with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has now been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.

Requirements

1. Domain names should be registered in order to serve the certificates by SNI.

2. Root Privileges to the server.

3. Nginx should already be installed and running on your VPS

To install Nginx:

# sudo apt-get install nginx

4. Make sure that SNI is enabled in the server

# nginx -V ; which displays the version and the status.

Set up

1. Create the SSL certificate Directory

For easy understanding, I will be working to create a server that hosts both example.com and example.org.

The SSL certificate has 2 parts main parts: the certificate itself and the public key. We should create a directory for each virtual hosts SSL certificate.

# mkdir -p /etc/nginx/ssl/example.com
# mkdir -p /etc/nginx/ssl/example.org

2. Create the Server Key and Certificate Signing Request

First, we create SSL certificate for example.com

  # cd /etc/nginx/ssl/example.com

Now, create the private server key. You will be asked to enter a pass-phrase, which is needed later to access the certificate.

  # sudo openssl genrsa -des3 -out server.key 1024

Create certificate signing request :

# sudo openssl req -new -key server.key -out server.csr

This will prompt terminal to display a lists of fields that need to be filled in.

3. Remove the Passphrase

We need to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

# sudo cp server.key server.key.org
# sudo openssl rsa -in server.key.org -out server.key

4. Sign your SSL Certificate

# sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This certificate will expire after one year.

We have done with the certificate in the first host.

To create the certificate in the first host : switch the directory

# cd /etc/nginx/ssl/example.org

Repeat the previous three steps for the second certificate. Once it is finished, we can start adding the certificates to your virtual hosts.

5. Create the Virtual Hosts

Once we have the certificates saved, we can add in our information in the virtual host file.

server {

listen 443;

server_name example.com;

root /usr/share/nginx/www;

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.com/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.com/server.key;

}

Each file will then contain the virtual host configuration as follows:

server {

listen 443;

server_name example.com;

root /usr/share/nginx/www;

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.com/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.com/server.key;

}

Make sure that you have updated server_name, ssl_certificate, and ssl_certificate_key lines to match your details.

Do the same for the second account :

# sudo nano /etc/nginx/sites-available/example.org

server {

listen 443;

server_name example.org;

root /usr/share/nginx/www;

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.org/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

}

6. Activate the Virtual Hosts

Now, activate the hosts by creating a symbolic link between the sites-available directory and the sites-enabled directory.

# sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
# sudo ln -s /etc/nginx/sites-available/example.org /etc/nginx/sites-enabled/example.org

7. Restart nginx

# sudo service nginx restart

You should now be able to access both sites, each with its own domain name and SSL certificate.

Automating Linux Anti-Virus Using ClamAv and Cron

Clam AntiVirus (ClamAV) is a free, cross-platform antivirus tool-kit able to detect many types of malicious software, including viruses. One of its main uses is on mailservers as a server-side email virus scanner. The application was developed for Unix and has third party versions available for AIX, BSD, HP-UX, LINUX, MAC OS X, openVMS, OSF (Tru64) and Solaris.Here in this section we will try to automate the entire Process of clamAv using cronjob.We are using Red-hat enterprises Linux platform to test this.

Step 1: Install ClamAV

We can use yum command to install clamav in the server.

# yum install clamav clamav-db clamd

Try to start the clamav by typing the command below.

# /etc/init.d/clamd start

This automatically sets up a daily cron job which runs fresh clam to update virus definitions.

Step 2 : Create new cron jobs to run daily virus scans

First we need to create a file clamscan_daily in cron.daily folder.It will help us to paste our script in this file,all the files or scripts in this folder will run automatically daily.

Create a clamscan_daily file in the folder cron.daily

#vi /etc/cron.daily/clamscan_daily

Paste the below script in the file and save.

#!/bin/bash

# email subject

SUBJECT=”VIRUS DETECTED ON `hostname`!!!”

# Email To ?

EMAIL=”alert@domain.com”

# Log location

LOG=/var/log/clamav/scan.log

check_scan () {

# Check the last set of results. If there are any “Infected” counts that aren’t zero, we have a problem.

if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ]

then

EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`

echo “To: ${EMAIL}” >> ${EMAILMESSAGE}

echo “From: alert@domain.com” >> ${EMAILMESSAGE}

echo “Subject: ${SUBJECT}” >> ${EMAILMESSAGE}

echo “Importance: High” >> ${EMAILMESSAGE}

echo “X-Priority: 1” >> ${EMAILMESSAGE}

echo “`tail -n 50 ${LOG}`” >> ${EMAILMESSAGE}

sendmail -t < ${EMAILMESSAGE}

fi

}

clamscan -r / –exclude-dir=/sys/ –quiet –infected log=${LOG}

Step 3 : set-up proper permission to the file

#chmod +x /etc/cron.hourly/clamscan_hourly

This steps will help to setup automation of clamav in the server and reports are send directly to the email given in the script.

How to fix – Error: Account Creation Status: failed,mysql user with the name already exists

While restoring a cPanel account from one server to another server there is a chance for following error: Account Creation Status: failed (Sorry, a mysql user (let’s take ‘dbuser’) with the name already exists

To Delete the user :

Please login into the mysql and follow the steps

mysql

mysql > use mysql;

mysql > drop user dbuser@localhost;

OR

mysql> delete from mysql.user where user=dbuser;

You can also check this using :

select User, Host from user where User like dbuser;

Where dbuser is the user mentioned in the error.

If the above mentioned steps do not fix the issue,please follow the below steps.

Please check for entries of that usernames in the following files and if there is any, remove those entries.

/var/cpanel/databases/users.db

/etc/dbowners

After removing these entries, execute the following command.

userdel -f username

How to mount DVD or CDROM in Linux

DVDROM (Digital Versatile Disk Read-only memory) and CDROM (Compact Disc Read-only memory) are optical storage devices to store your data for future uses or for backups.

Many people use these disks to store movies, photos etc. By default many older Linux machines will not allow you to see the content of them. This is due that, they are not mounted by default in your box. We have to mount them properly so that we can access their content.

There are many ways to do mounting CDROM/DVDROMs. One of the classic way is to use mount command which is available in Linux. Before mounting a CDROM or DVDROM we have to check what hardware file corresponding to our disk drive. If you have DVD Drive then you should see /dev/dvdrom or /dvd-rw file. If you have CDrom then you should find /dev/cdrom or /dev/cd-rw file. Once you are confirmed about your device, you can use any one command mention below depending on your device name.

If your device is only CD reader use below command:

#mount -t iso9660 /dev/cdrom /media/

If your device is a CD read write use below command:

#mount -t iso9660 /dev/cdrw /media/

If your device is a DVD reader use below command:

#mount -t iso9660 /dev/dvdrom /media/

If your device is a DVD writer use below command:

#mount -t iso9660 /dev/dvd-rw /media/

Now let us see what this command means:

mount is the command to mount devices files etc in a Linux/Unix box.

-t is the option to specify the format of the device, here it is iso9660 format. This is the format how data is written on to the device.

-/dev/dvd-rw is a DVD writer present in your machine

-/media is the point where you are going to mount your device. Once you cd to /media you can see the content of DVD.

Note: Some times you will not see /dev/cdrom or cdrw or dvd or dvd-rw files. At this time you have to know that it is associated with /dev/hdb or hdc etc.

Also we can do permanent mounting by using fstab file.