Most IT people know about the need to use SHA-2 Hash Algorithm when creating new CSRs for SSL certificates. But many of the Windows servers out there do not default to this hash and will generate a CSR based on SHA-1.
Here is a great articale onhow to generate the proper CSR using Windows Certificates MMC snapin.
How to create SHA2 CSR on windows server
http://day.ir/en-us/articles/ssl/create-csr-sha2-algorithm
The main admin page for mysql is phpmyadmin. it is secured through a local firewall of sorts in the form of the phpmyadmin.conf file. there are explicit “allow” and “deny” statements for IPs here. I was a firewall guy for many years and this is actually a great security method. Nice and simple. KISS!
Anyway, because of some limitations in Drupal regarding aggregated news items, I need to have access to the sql db itself. I could do this via sql statements from the command line, but for what I need to do I need to see the tables and prefer a nice GUI. And PHPMyAdmin is a pretty nice GUI. Since I have my Drupal servers, (S, Q and Prod) secured via SSL, there is no issue with changing the security from deny to allow for any host other than localhost.
<Directory /usr/share/phpMyAdmin/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
# Deny from All
Allow from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
this reflects the change that I made. Look at the # in front of the deny statement and the addition of the allow all statement. that’s all you need. BUT, make sure to have ssl enabled to protect your mysql password.
I was able to install the SSL cert on prod in less than 5 minutes. that is the advantage of setting up a quality environment that truly matches prod; you can make the prod changes so easily and help keep your prod environment pristine.
now back to the multilingual stuff. i hate to get distracted but i really hate creds in clear text. ssl had to be done.
this link was fantastic and worked perfectly. I now have ssl running on my quality site.
http://wiki.centos.org/HowTos/Https – this is applicable to centos, which is what i am using in qual/prod
this is why centos is such a great choice for linux. great support!
Today I am going to place an SSL cert on my quality site and then, following change management BPs, my prod site.
i’ve worked with ssl for years in the corporate environment and relatively easy to do. and simpler than a lot of people realize. you don’t need to spend four figures with verisign to leverage ssl. ssl can be free and the only trade off is that you’ll need to install the cert in your local store (not hard to do at all) so that your browser will recognize and trust it, or just deal with a message that the cert may not be valid because it doesn’t “chain” in the local store.
Here’s one good link:
http://slacksite.com/apache/webserver.php
http://wiki.centos.org/HowTos/Https – this is applicable to centos, which is what i am using in qual/prod
if you want to see all the certs in your local store you can do it with the certificates snap in for the mmc on your windows box. i won’t go into all the steps but if someone has questions, post and i’ll help.
the bottom line is, use ssl. you don’t want to use a user name and password field over port 80. that is just inviting trouble. and even the cheap certs like digicert are fine. with verisign, you’re paying for a cert that will be recognized by as many browsers worldwide as possible. and you’re paying for their cust service. which is really good. if your site will be local to the us, buy a cheap cert and use it.
landie.tech 