On Linux:
To make this tutorial easier to understand, and as close to a real scenario we took this initial parameters as example:
Company access web login sub-domain: (unique per company)
mycompany-access.loginstep.com
Server alocated subdomain: (each install on a separate IP will get it's own subdomain)
mycompany2.myaccessbox.com
AccessServer local http port:
1111
nGinx SSL port
20443
Local Path shared:
/home/mycompany
Weblogin email address:
whatever@mycompany.com
Weblogin password:
mypassword
Let's begin the Setup.
Install .net core 2.0
sudo curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod xenial main" > /etc/apt/sources.list.d/dotnetdev.list'
sudo apt-get update
Sometimes you might get an error like: E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.
sudo dpkg --configure -a
sudo apt-get install dotnet-sdk-2.0.0
Download AccessServer
Edit Credential details and App Settings
sudo nano AccessServer.config
VERY Important, you need to setup and run the App without SSL for the First time!
AccessServer.config should look like this:
adr=http://*:1111
# adr=https://127.0.0.1:1111
# Setup Shared local Path
path=/home/mycompany
# your App domain
email=whatever@mycompany.com
pass=mypassword
# sslport=20443
Start the App (make sure you are in the same folder where the app content is)
./start.sh
Or - Start the app with loggin in case you have problems this way you can use logs to debug problems
./start_logging.sh
run the folowing command to ckeck if app is runnng
ps aux|grep AccessServer
If app running, you should see something like this:
18580 0.0 10.5 2796700 52808 pts/0 SLl Sep07 0:00 dotnet AccessServerCore.dll
update-rc.d AccessServer enable
On the Web interface.
Login using your credentials, then navigate to admin panel, (top right screen icon)
In the admin area click Servers.
Type a Label for your Server (preferable something short to indentify the respective server)
From dropdown You can identify your new install by looking at the IP/Port combination on your install and see the Hostname (whatever-fs.myaccessbox.com) generated by the app, you will require this hostname when setting up SSL
Select the newly detected server, and the necessary fields will get autopopulated, Hostname/Port (in case you modified (translated) the port when set up in your router, modify detected port to whatever port number you translated)
Click Save (if you see the success message and you see the server added below, you have done everythiing corectly), If you get an error message, please revisit the steps above and see where something went wrong.
Test your newly added server by going Home and browsing the content from that Server.
You are Good to GO, using file transfer over HTTP!
If interested in transfering files over SSL the follow the below tutorial.
SSL on linux:
sudo apt-get install nginx
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo nano /etc/nginx/sites-available/default
replace "_" after the server_name _; with the subdomain generated, this info can be found in the web interface at Severs page in the drop down.
server_name mycompany2.myaccessbox.com;
Edit Location configuration to look as below example
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
proxy_redirect http://127.0.0.1:1111/ $scheme://$host:20443/;
}
Port 20443 is the New Port the app will run with nGinx SSL.
After editing all above save the config file.
Start nGinx
sudo systemctl reload nginx
Let's get a SSL certificate,
sudo certbot --nginx -d mycompany2.myaccessbox.com
In this priocess you need to:
Enter an email address
A to agree TS
Y or N to allow or not to share your email address with the Electronic Frontier Foundation,
2 to Redirect - Make all requests redirect to secure HTTPS access.
Setting up Certificate for Auto Renewal:
sudo crontab -e
Add at the end of file the following line:
15 3 * * * /usr/bin/certbot renew --quiet
After this process the SSL config would have been added to /etc/nginx/sites-available/default
We need to edit the SSL port to match out app settings,
edit port number
listen 20443 ssl; # managed by Certbot (this port should match the port for SSL from AccessServer.config )
Note, this port can be whatever port you choose, as long as it is preserved in all configuration files.
Restart nGinx
sudo systemctl reload nginx
Edit AccessServer.config and enable/.edit coresponging SSL settings
sudo nano AccessServer.config
--------------------------------
#adr=http://*:1111
adr=https://127.0.0.1:1111
# Setup Shared local Path
path=/home/mycompany
# your App domain
email=whatever@mycompany.com
pass=mypassword
sslport=20443
In the folder where the app is installed, run the Stop/Start commands to reload configuration.
./stop.sh
./start.sh
On the Web Interface / Admin / Servers, edit the Server created with HTTP support and in the drop down the presented server will have HTTPS protocol displayed at this point in time, Select it and make sure the Port is corect, then Save the new configuration.
You are good to GO with SSL file transfer :)
Aditionaly, Improove SSL rating by followinf the below tutorial.
Updating Diffie-Hellman Parameters
If you test your server using the SSL Labs Server Test now, it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem
file and adding it to our server
block.
Create the file using openssl
:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This will take a while, up to a few minutes. When it's done, open up the Nginx config file that contains your server
block. In our example, it's the default config file:
sudo nano /etc/nginx/sites-available/default
Paste the following bold line anywhere within the server
block:
nano /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Save the file and quit your editor, then verify the configuration:
sudo nginx -t
If you have no errors, reload Nginx:
sudo systemctl reload nginx
Your site is now more secure, and should receive an A rating.
NOTE
If your Linux flavour is CentOS x you might need to run the folowing command to allow nGinx proxy pass:
setsebool -P httpd_can_network_connect 1