2. Configure Web Server with HTTPS

  1. If the virtual machine is running, log in and shut it down:

    ssh -p 8015 hjc@dynamicshjc.case.edu
    sudo shutdown -h now
  2. Share the SSL certificate directory owned by the VirtualBox Machines (vbox) account on DynamicsHJC (~vbox/ssl-certificates) with the virtual machine as a shared folder. Shared folders are accessible on the virtual machine under the mount point /media. In VirtualBox, select Machine > Settings > Shared Folders, press the “+” button, and use the following settings:

    • Folder Path: /Users/vbox/ssl-certificates
    • Folder Name: ssl-certificates
    • Check “Read-only”
    • Check “Auto-mount”

    Press “OK” twice to close the Settings windows.

  3. Start the virtual machine and log in:

    ssh -p 8015 hjc@dynamicshjc.case.edu
  4. Check for and install system updates on the virtual machine:

    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo apt-get autoremove
  5. The Apache web server operates as user www-data in group www-data. Give the web server ownership of and access to the web directory:

    sudo chown -R www-data:www-data /var/www/
    sudo chmod -R ug+rw /var/www/
    sudo find /var/www -type d -exec chmod g+s {} \;
  6. Download and install the check-ssl-cert-expiration script:

    sudo wget -O /usr/local/sbin/check-ssl-cert-expiration https://neurowiki-docs.readthedocs.io/en/latest/_downloads/check-ssl-cert-expiration
    sudo chmod +x /usr/local/sbin/check-ssl-cert-expiration

    The script looks for the shared folder set up in step 2 and prints the expiration dates of any certificates found there. Check that this is working and that the certificates are current:

    sudo check-ssl-cert-expiration

    If you are curious about the contents of check-ssl-cert-expiration, you can view it here:


    Direct link

    # Place this script in /usr/local/sbin and make it executable (chmod +x).
    # This script will print out the expiration dates for all SSL certificates
    # located in CERTDIR or its subdirectories.
    # Function for aborting with an error message
    die () {
        echo >&2 "$@"
        exit 1
    # Require that the user is root.
    [ "$UID" -eq 0 ] || die "Aborted: superuser privileges needed (rerun with sudo)"
    # The certificate files are expected to be found in CERTDIR with a specific
    # naming scheme.
    # Find and report expiration dates for certificates.
    find $CERTDIR -name "*_cert.cer" -print -exec bash -c "openssl x509 -noout -enddate -in {} | sed -e 's/\(.*\)=\(.*\)/  \2/'" \;
    exit 0
  7. Disable some default Apache configuration files, and download and install a custom Apache configuration file for handling SSL certificates:

    sudo a2dissite 000-default default-ssl
    sudo wget -O /etc/apache2/sites-available/smart-ssl.conf https://neurowiki-docs.readthedocs.io/en/latest/_downloads/smart-ssl.conf
    sudo a2enmod rewrite ssl
    sudo a2ensite smart-ssl
    sudo apache2ctl restart

    The determination of which SSL certificate to use is done automatically by looking at the URL used to access the site. If port forwarding is enabled and the virtual machine is accessed using https://dynamicshjc.case.edu:8014, the certificate for DynamicsHJC will be selected automatically. If bridged networking is enabled and the virtual machine is accessed using https://neurowiki.case.edu, the certificate for NeuroWiki will be selected automatically. Later, when the virtual machine is cloned and converted to NeuroWikiDev, its certificate will be selected automatically.

    If you are curious about the contents of smart-ssl.conf, you can view it here:


    Direct link

    # Globally specify ServerName to satisfy requirement, will be replaced by
    # matching virtual host's ServerName
    ServerName localhost
    # Except where aliases are used, all URLs are relative to DocumentRoot, e.g.,
    # https://example.com/dir1/page.html points to /var/www/html/dir1/page.html
    DocumentRoot /var/www/html
    # Deny access to everything on the server unless overridden by other Directory
    # directives, and allow access to the DocumentRoot
    <Directory ~ "/">
        Options -Indexes
        Require all denied
    <Directory ~ "/var/www/html">
        Require all granted
    # Disallow access to .git directories and .gitignore files
    RedirectMatch 404 /\.git
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #	 Translate the client X.509 into a Basic Authorisation.  This means that
    #	 the standard Auth/DBMAuth methods can be used for access control.  The
    #	 user name is the `one line' version of the client's X.509 certificate.
    #	 Note that no password is obtained from the user. Every entry in the user
    #	 file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #	 This exports two additional environment variables: SSL_CLIENT_CERT and
    #	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #	 server (always existing) and the client (only existing when client
    #	 authentication is used). This can be used to import the certificates
    #	 into CGI scripts.
    #   o StdEnvVars:
    #	 This exports the standard SSL/TLS related `SSL_*' environment variables.
    #	 Per default this exportation is switched off for performance reasons,
    #	 because the extraction step is an expensive operation and is usually
    #	 useless for serving static content. So one usually enables the
    #	 exportation for CGI and SSI requests only.
    #   o OptRenegotiate:
    #	 This enables optimized SSL connection renegotiation handling when SSL
    #	 directives are used in per-directory context.
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    # ServerName specifies what hostname must appear in the request's Host: header
    # to match a virtual host
    # Matches any http://* and redirects to https://*
    <VirtualHost *:80>
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    <IfModule mod_ssl.c>
    # Matches only https://dynamicshjc.case.edu
    <VirtualHost *:443>
        ServerName dynamicshjc.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/dynamicshjc/dynamicshjc_case_edu_interm.cer
    # Matches only https://neurowiki.case.edu
    <VirtualHost *:443>
        ServerName neurowiki.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/neurowiki/neurowiki_case_edu_interm.cer
    # Matches only https://neurowikidev.case.edu
    <VirtualHost *:443>
        ServerName neurowikidev.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/neurowikidev/neurowikidev_case_edu_interm.cer
    # Matches only https://biol300.case.edu
    <VirtualHost *:443>
        ServerName biol300.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/biol300/biol300_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/biol300/biol300_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/biol300/biol300_case_edu_interm.cer
    # Matches only https://biol300dev.case.edu
    <VirtualHost *:443>
        ServerName biol300dev.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/biol300dev/biol300dev_case_edu_interm.cer
    # Matches only https://slugwiki.case.edu
    <VirtualHost *:443>
        ServerName slugwiki.case.edu
        SSLEngine on
        SSLCertificateFile      /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu_cert.cer
        SSLCertificateKeyFile   /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu.key
        SSLCertificateChainFile /media/sf_ssl-certificates/slugwiki/slugwiki_case_edu_interm.cer
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
  8. The web server should now be active. Open a web browser and navigate to

    You should see a default page provided by Apache.

  9. Delete that default page:

    rm /var/www/html/index.html
  10. Discourage bots, such as Google’s web crawler, from visiting some parts of the site. Download and install robots.txt:

    wget -O /var/www/html/robots.txt https://neurowiki-docs.readthedocs.io/en/latest/_downloads/robots.txt

    If you are curious about the contents of robots.txt, you can view it here:


    Direct link

    User-agent: *
    Allow: /w/load.php?
    Disallow: /w/
    Disallow: /django
    Disallow: /JSNeuroSim
  11. Shut down the virtual machine:

    sudo shutdown -h now
  12. Using VirtualBox, take a snapshot of the current state of the virtual machine. Name it “Web server configured with HTTPS”.