لطفا منتظر باشید ...
14.5. Apache and OpenSSL
After
having configured and tested your Apache web server configuration,
the next thing you may wish to do is configure an SSL page. From
protecting web-based email clients, to providing secure e-commerce
transactions, there are many reasons why one would use SSL. Within
the Apache realm there are two options for providing SSL, Apache-SSL
and mod_ssl. In this section,
we'll focus on the older and more commonly used
mod_ssl.
As with any SSL-based application,
certificates are required. These provide the basis on which the trust
relationship between client and server is established. This being
said, if you are hosting a site for a business, you will likely want
to get a certificate signed by a third party, such as Verisign or
Thawte. Since these certificates are somewhat costly, if you
aren't hosting a business, you also have the option
of generating your own certificate. The disadvantage of this method
is that when clients access your site, an error will be generated
telling them that your certificate is not trusted since it
hasn't been signed by a third party. This means that
they will be required to click through the error message and decide
whether or not they want to trust your certificate. In this chapter
we will provide configuration examples for administrators generating
their own certificates. Alternately, the
cacert.org organization offers free certificates
for individuals.
14.5.1. Generating an SSL Certificate
In order to enable an SSL session, you
will first need to create a certificate. To do this, you will need to
make sure you have OpenSSL installed. It can be found at http://www.openssl.org, in both source and
binary package format. This package comes installed with many Linux
distributions, so you may not have to install it. Once you have
installed or verified the installation of OpenSSL, you can proceed to
create the required SSL certificate.
The first step
in this process is to create a certificate signing request. You will
need to enter a temporary PEM pass phrase and some information about
your site:
vlager# openssl req -config openssl.cnf -new -out vbrew.csr
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
...............................++++++
....++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) [ ]:Berkeley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.vbrew.com
Organizational Unit Name (eg, section) [ ]:
Common Name (eg, YOUR name) [ ]:www.vbrew.com
Email Address [ ]:webmaster@vbrew.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:
The next
step is to remove the private key PEM pass phrase from your
certificate. This will allow the server to restart without having to
input the password. For paranoid administrators, this step can be
bypassed, but should your server fail at any point, you will have to
manually restart it.
vlager # openssl rsa -in privkey.pem -out vbrew.key
read RSA key
Enter PEM pass phrase:
writing RSA key
Having separated the pass phrase, you will
now need to self-sign your certificate file. This is accomplished
using the x509 option with OpenSSL:
apache ssl # openssl x509 -in vbrew.csr -out vbrew.cert -req -signkey vbrew.key -days 365Once this has been completed, your certificate is ready for use. You
Signature ok
subject=/C=US/ST=California/L=Berkeley/O=www.vbrew.com/CN=www.vbrew.com/
Email=webmaster@vbrew.com
Getting Private key
should copy the certificate files to your Apache directory so the web
server can access them.
14.5.2. Compiling mod_ssl for Apache
If you compiled Apache from source as in the earlier example in the
chapter, you will need to patch the Apache source and recompile in
order to use mod_ssl. If you installed Apache from a binary package
for your Linux distributions, then there's a good
chance that it is already compiled in. To see whether you need to
recompile, check which modules are built into Apache by using the
following command:
vlager # /var/www/bin/httpd -lIn this case, mod_ssl is not present, so we will have to download and
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
compile it into our Apache server. Fortunately, this
isn't as difficult as it might sound. The source for
mod_ssl can be found at http://www.modssl.org. You will need to
unpack it along with the source to OpenSSL. For ease, we have put all
three source trees under the same directory. When you have everything
unpacked, you are ready to continue. First, you will need to
configure the build of mod_ssl:
vlager # ./configure --with-apache=../apache_1.3.28 --with-openssl=../openssl-0.9.6iNow, assuming that you built your OpenSSL from source and it is in
Configuring mod_ssl/2.8.15 for Apache/1.3.28
+ Apache location: ../apache_1.3.28 (Version 1.3.28)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.
line with your Apache source directory, you can configure and build
Apache as follows:
vlager # cd ../apache_1.3.28When the source configuration has
vlager # SSL_BASE=../openssl-0.9.6i ./configure -prefix=/var/www --enable-module=ssl
Configuring for Apache, Version 1.3.28
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C pre-processor to gcc -E
+ using "tr [a-z] [A-Z]" to uppercase
+ checking for system header files
+ adding selected modules
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.15
+ SSL interface build type: OBJ
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: /root/openssl-0.9.6i
+ SSL library version: OpenSSL 0.9.6i Feb 19 2003
+ SSL library type: source tree only (stand-alone)
+ enabling Extended API (EAPI)
+ using system Expat
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl
completed, you can now rebuild Apache with make
install. You can also repeat the httpd
-l command used above to verify that mod_ssl has been
compiled into Apache.
14.5.3. Configuration File Changes
Only a few minor
changes are required. The easiest way to enable SSL within Apache is
by using the Virtual Host directives discussed earlier. However,
first, outside of the Virtual Host section, at the end of your
configuration file, you will need to add the following SSL
directives:
SSLRandomSeed startup builtinNow you need
SSLSessionCache None
to build your VirtualHost configuration to enable the SSL engine.
Again, in the httpd.conf file, add the following
lines:
<VirtualHost www.vbrew.com:443>
SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/vbrew.cert
SSLCertificateKeyFile conf/ssl/vbrew.key
</VirtualHost>
This section enabled the
SSLEngine and configured the cipher suites. You can select which you
would like to allow or disallow. The
"!" is used for entries that are
explicitly disallowed, and the "+"
is for those that are allowed. If you have stored your certificates
in any other directory, you will need to make the necessary changes
to the SSLCertificateFile and KeyFile entries. For more information
about the options available with mod_ssl, consult the documentation
found on the mod_ssl web site.
