![[NANOWEB DOCUMENTATION]](/icons/nanoweb.png){kind=icon}
NANOWEB, the aEGiS PHP web server
SSL with nanoweb HOWTO
First, nanoweb has no official support for HTTP over Secure Sockets Layer (also known as HTTPS).There is however a mean to make it work, with some help from the popular "stunnel" application.
Starting from version 1.8.0, nanoweb supports running as an inetd service, and this is necessary for wrapping nanoweb with stunnel.
Prerequisites
- you first need to ensure that nanoweb works correctly in plain inetd ServerMode
- stunnel (www.stunnel.org)
- openssl (www.openssl.org)
Installation
- If you already have setup nanoweb in inetd mode, you may want to backup your non-SSL config files as you probably want to host different virtual hosts for http and https.
- Generate a certificate for nanoweb:
root@www:~# cd /etc/ssl/certs root@www:/etc/ssl/certs# openssl req -new -x509 -nodes -out nanoweb.pem -keyout nanoweb.pem -days 9999 root@www:/etc/ssl/certs# ln -s nanoweb.pem `openssl x509 -noout -hash < nanoweb.pem`.0
- Copy the wrapper script /usr/sbin/in.nanoweb to
in.nanoweb-ssl; comment the line for normal operation and
uncomment the ones for SSL (stunnel).
You want these two files to keep nanoweb operating as plain http server on port 80, but also over SSL via stunnel. - uncomment the https line in your /etc/inetd.conf (this line
was already written to there by the nanoweb install-sh)
# nanoweb inetd support www stream tcp nowait root /usr/sbin/in.nanoweb nanoweb https stream tcp nowait root /usr/sbin/in.nanoweb nanoweb -ssl
Testing
Once all this is done, open your favorite SSL enabled web browser, and try to open "https://localhost". If it works, you should see the default web page, and your browser should tell you some things about the cert not being signed by a trusted authority (this is not a bug, just send your CSR for signing to a trusted CA if you want).If it does not, stunnel log files are quite informative :)
See also the text versions of this HOWTO about SSL support for nanoweb.