Apache-ssl by suchenfz


									Apache ssl
• Objectives
   – Setup Apache + ssl
• Contents
   –   Recompile Apache for mod_ssl
   –   Generating Certifikates
   –   Self signed certificate
   –   SSL Virtualhos
• Practical
   – Setup Apache with SSL
• Summary
Apache need module ssl
• Goto Apache 2 sourcetree # cd /usr/local/src/apache-2.2.0
• Configure Apache2 for SSL support
   # ./configure --enable-layout=SuSE --libexecdir=/usr/lib/httpd/modules --
   enable-mods-shared=all --enable-ssl

• Make Apache2 # make
• Install Apache2 binaries and modules plus configuration
   # make install

• Add ssl_module to /etc/httpd/httpd.conf
   – After last LoadModule add:
      LoadModule ssl_module lib/httpd/modules/mod_ssl.so

• Include /etc/httpd/extras/httpd-ssl.conf in httpd.conf
      Include /etc/httpd/extra/httpd-ssl.conf
Generating a Private Key and CSR
• Create a storage for certificates and keys
   # cd /etc/httpd ; mkdir certs

• Create your RSA Private Key 1024 bit RSA Triple-
   # openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024

• Remove the pass-phrase
  – Unless you want to enter it everytime Apache2 is started/rebooted

   # openssl rsa -in server.key -out server.pem
Make Certificate Signing Request (CSR)
• CSR generation session
  openssl req -new -key server.pem -out server.csr
• You are about to be asked to enter information that will be
  incorporated into your certificate request.
• What you are about to enter is what is called a
  Distinguished Name or a DN.
   Country Name (2 letter code) [AU]:SE
   State or Province Name (full name) [Some-State]:Stockholm
   Locality Name (eg, city) []:Stockholm
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:My-Site, AB.
   Organizational Unit Name (eg, section) []:.
   Common Name (eg, YOUR name) []:www.my-site.com
   Email Address []:webmaster@my-site.com
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
Generating a Self-Signed Certificate
• To generate a temporary certificate which is good
  for 60 days, issue the following command
  # openssl x509 -req -days 60 -in server.csr -signkey server.pem -out server.crt

• Here you self-sign your server.csr to prove that
  you are you, it is nothing wrong with that and
  security is as high as any signing your
  certificates. Only difference is that some appz
  (browsers) will complain that it page / server is not
  signed by a trusted party.
Installing the Private Key and Certificate
• Configuring SSL Enabled Virtual Hosts
  <IfDefine SSL>
  <VirtualHost _default_:443>
  ServerAdmin webmaster@my-site.com
  DocumentRoot /usr/local/httpd/securedocs
  ServerName www.my-site.com
  #ScriptAlias /cgi-bin/ /usr/local/httpd/cgi-bin/
  SSLEngine on
  SSLCertificateFile /etc/httpd/server.crt
  SSLCertificateKeyFile /etc/httpd/server.pem
  #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  CustomLog /var/log/httpd/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  <Directory />
     AllowOverride FileInfo AuthConfig Limit
     Options Indexes MultiViews Includes ExecCGI FollowSymLinks
        Order allow,deny
        Allow from all
        Order deny,allow
        Deny from all
Restarting Apache2 and test ssl
• Make the virtualhost DocumentRoot
  # mkdir /usr/local/httpd/securedocs

• Add a ”testpage” to your secure DocumentRoot
  # echo ”Not yet, soon now!” > /usr/local/httpd/securedocs/index.html

• Stop and start Apache2                 # apachectl stop ; apachectl start
• Check Apache2 logbook
  – You should be able to see that mod_ssl is loaded and configured
  # tail /var/log/httpd/error_log
  [Tue Feb 21 20:29:39 2006] [notice] caught SIGTERM, shutting down
  [Tue Feb 21 20:29:40 2006] [notice] Digest: generating secret for digest authentication ...
  [Tue Feb 21 20:29:40 2006] [notice] Digest: done
  [Tue Feb 21 20:29:41 2006] [notice] Apache/2.2.0 (Unix) DAV/2 PHP/5.1.2 mod_ssl/2.2.0
  OpenSSL/0.9.7e configured -- resuming normal operations

• Open your secure page in a web-browser

To top