Add in apache2.conf
LimitRequestBody 100000000Update in php.ini
max_input_time = 300
max_execution_time = 300
post_max_size = 512M
upload_max_filesize = 512M
Restart Apache 2
SSL Labs is the effficient way to find which SSL protocols are enabled on your webserver.
Enter your website url and click on submit
https://www.ssllabs.com/ssltest/
It generated ssl scan report for your web application. You can check tls protocol enable/disable list.
If you want to scan tls protocol version on your local, Run following commands for different versions of tls.
tls 1 and tls 1.1 are vulnerable versions.
openssl s_client -connect app.localhost:443 -tls1
openssl s_client -connect app.localhost:443 -tls1_1
openssl s_client -connect app.localhost:443 -tls1_2
openssl s_client -connect app.localhost:443 -tls1_3
If tls 1 or tls 1.1 is enabled for your webserver but you are not getting results on command line, you need to make configuration changes in your openssl.cnf file.
Take backup of your /etc/ssl/openssl.cnf
sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bkup
Add this to the beginning of your config file /etc/ssl/openssl.cnf
openssl_conf = default_conf
And then this to the end:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
Now export path
export OPENSSL_CONF=/etc/ssl/openssl.cnf
Now check again
openssl s_client -connect app.localhost:443 -tls1
openssl s_client -connect app.localhost:443 -tls1_1
Now it should show enabled tls protocols on command line
You can disable these protocols in your webserver config.
If you get the error ngcc not found but you have already installed all required angular packages.
To solve the issue, run command
npm install @angular/compiler-cli --save
If npm takes registry url attribute from global npmrc config file and not from the file which is in your home directory then you want to modify global config npmrc but you can not update as you do not have root privileges.
You can set local registry url for your npm commands.
npm config set registry https://registry.npmjs.org/
Now the url which is mentioned in global npmrc file will not be effective and it downloads package from this url only.
When you close the terminal and open new terminal, you need to run this command every time. To get rid off this, you need to add this command in your ~/.bashrc file, now whenever you open terminal, this command will be executed automatically in the background.
Create another config file from openssl configuration file.
sudo cp /usr/lib/ssl/openssl.cnf /etc/ssl/app.localhost.cnf
Now copy below code in the respective section of copied configuration file /etc/ssl/app.localhost.cnf
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = app.localhost
DNS.2 = localhost
DNS.3 = app1.localhost
Uncomment line.
req_extensions = v3_req
Create CA Certificate :
openssl genrsa -aes256 -out ca.key.pem 2048
chmod 400 ca.key.pem
openssl req -new -x509 -subj "/CN=applocalhostca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config /etc/ssl/app.localhost.cnf
openssl x509 -in ca.pem -text -noout
Create Server certificate signed by CA :
openssl genrsa -out app.localhost.key.pem 2048
openssl req -subj "/CN=app.localhost" -extensions v3_req -sha256 -new -key app.localhost.key.pem -out app.localhost.csr
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in app.localhost.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out app.localhost.crt -extfile /etc/ssl/app.localhost.cnf
openssl x509 -in app.localhost.crt -text -noout
Now add ca.pem in chrome and firefox,
Chrome > privacy and security > security > manage certificates > authority
firefox > privacy and security > view certificates > authority
Use these crt and key in web server as ssl certificates.
Now open this virtualhost with https. Warning should not be appeared.
To get this, /usr/bin/sar should be installed. It is a default package.
cpu logs should be there in /var/log/sa folder in centos or redhat
If there is no /var/log/sa folder in ubuntu so the logs are stored in /var/log/sysstat. There is daily file of stored log.
usrname@hostname:~/Desktop$ ls /var/log/sysstat
sa09 sa10 sa11 sa12 sa13 sa14 sa15 sar09 sar10 sar11 sar13 sar14
You can find last 30 days logs here.
Suppose To check the logs of 15th, run command
sar -f /var/log/sysstat/sa15
CPU %user %nice %system %iowait %steal %idle
11:45:01 AM IST all 15.59 1.82 3.71 2.11 0.00 76.77
11:55:02 AM IST all 14.55 0.00 3.59 3.55 0.00 78.31
12:05:01 PM IST all 14.24 0.00 3.30 0.71 0.00 81.75
12:15:01 PM IST all 14.06 0.00 3.31 0.58 0.00 82.06
12:25:02 PM IST all 14.02 0.00 3.39 0.88 0.00 81.71
12:35:01 PM IST all 15.12 0.00 3.32 0.79 0.00 80.77
12:45:01 PM IST all 13.96 0.00 3.36 1.09 0.00 81.59
12:55:02 PM IST all 12.23 0.06 3.13 2.70 0.00 81.87
01:05:01 PM IST all 2.12 0.00 1.00 0.56 0.00 96.32
01:15:01 PM IST all 10.70 0.00 3.49 2.65 0.00 83.16
01:25:01 PM IST all 13.24 0.03 3.99 2.80 0.00 79.94
01:35:01 PM IST all 11.66 0.04 3.39 3.13 0.00 81.78
You will get the cpu usage of complete day. Above is a part of the output.
If logs are not stored, active enabling the flag in file.
sudo nano /etc/default/sysstat
ENABLED="true"
Restart service
sudo systemctl restart sysstat.service
Steps :
sudo apt install libnss3-tools -y
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64
sudo cp mkcert-v1.4.3-linux-amd64 /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
mkcert -install
Now use your virtualhost name in the below command instead of app.localhost. You can generate same certificate for multiple virtualhosts. Add multiple virtualhosts space separated in the below command.
mkcert app.localhost localhost 127.0.0.1
Use certificates in Apache ssl config, and restart Apache. Now open localhost and other virtualhosts in the browser. it should be secured.
