|
|
|
@ -78,8 +78,12 @@ II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key |
|
|
|
cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem |
|
|
|
|
|
|
|
III. a2enmod ssl; |
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) |
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions) |
|
|
|
add certs to the SSLCertificateFile and SSLCertificateKeyFile directives in default-ssl.conf |
|
|
|
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
|
|
|
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
|
|
|
a2dissite 000-default.conf; |
|
|
|
service apache2 restart |
|
|
|
|
|
|
|
In the Chromium broswer: chrome://settings/certificates |
|
|
|
Choose IMPORT in AUTHORITIES |
|
|
|
@ -230,6 +234,38 @@ SPECIAL NOTES |
|
|
|
including transaction_log.php, perhaps with the exclusion of certain reports that should only be available |
|
|
|
to the volunteer coordinator. |
|
|
|
|
|
|
|
https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements provides good details how this is done: |
|
|
|
|
|
|
|
E.g., we want paid_members.php to be accessible via a completely different password under Apache for our paid members team: |
|
|
|
|
|
|
|
<FilesMatch "\.(php|paid_members\.php)$"> |
|
|
|
SSLOptions +StdEnvVars |
|
|
|
</FilesMatch> |
|
|
|
<Directory /var/www/html/js> |
|
|
|
Order allow,deny |
|
|
|
Allow from all |
|
|
|
Satisfy any |
|
|
|
</Directory> |
|
|
|
<Directory /var/www/html/css> |
|
|
|
Order allow,deny |
|
|
|
Allow from all |
|
|
|
Satisfy any |
|
|
|
</Directory> |
|
|
|
<Directory /var/www/html> |
|
|
|
Authtype Basic |
|
|
|
Authname "Amazing Community Bike Shop Login" |
|
|
|
Require user someuser |
|
|
|
AuthUserFile /var/htpasswd |
|
|
|
</Directory> |
|
|
|
<Files "paid_members.php"> |
|
|
|
Authtype Basic |
|
|
|
Authname "Paid Members Login" |
|
|
|
Require user paid_members_team |
|
|
|
AuthUserFile /var/htpasswd |
|
|
|
</Files> |
|
|
|
|
|
|
|
How to get that working with keepass2 should be obvious. |
|
|
|
|
|
|
|
SUSPENDING COMPUTER |
|
|
|
|
|
|
|
Example commands that bring up the gui setting tool: |
|
|
|
@ -244,7 +280,7 @@ it is not always straight-forward, e.g., resetting the CMOS. |
|
|
|
|
|
|
|
GRUB2 PASSWORD PROTECT (mandatory) |
|
|
|
|
|
|
|
You don't want individuals casually booting into single mode or a shell, therefore, |
|
|
|
In order to prevent individuals from casually booting into single mode or a shell, |
|
|
|
password protecting GRUB with an encrypted password is mandatory. |
|
|
|
|
|
|
|
https://help.ubuntu.com/community/Grub2/Passwords gives good instructions |
|
|
|
@ -270,7 +306,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions |
|
|
|
|
|
|
|
5. update-grub2 |
|
|
|
|
|
|
|
SSD or HD Encryption (optional) |
|
|
|
SSD or HD ENCRYPTION (optional) |
|
|
|
|
|
|
|
If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases) |
|
|
|
be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you |
|
|
|
|
Jonathan Rosenbaum
6 years ago