After having configured and tested your Apache web server configuration, the next thing you may wish to do is configure an SSL page. From protecting web-based email clients, to providing secure e-commerce transactions, there are many reasons why one would use SSL. Within the Apache realm there are two options for providing SSL, Apache-SSL and mod_ssl. In this section, we'll focus on the older and more commonly used mod_ssl.
As with any SSL-based application, certificates are required. These provide the basis on which the trust relationship between client and server is established. This being said, if you are hosting a site for a business, you will likely want to get a certificate signed by a third party, such as Verisign or Thawte. Since these certificates are somewhat costly, if you aren't hosting a business, you also have the option of generating your own certificate. The disadvantage of this method is that when clients access your site, an error will be generated telling them that your certificate is not trusted since it hasn't been signed by a third party. This means that they will be required to click through the error message and decide whether or not they want to trust your certificate. In this chapter we will provide configuration examples for administrators generating their own certificates. Alternately, the cacert.org organization offers free certificates for individuals.
In order to enable an SSL session, you will first need to create a certificate. To do this, you will need to make sure you have OpenSSL installed. It can be found at http://www.openssl.org, in both source and binary package format. This package comes installed with many Linux distributions, so you may not have to install it. Once you have installed or verified the installation of OpenSSL, you can proceed to create the required SSL certificate.
The first step in this process is to create a certificate signing request. You will need to enter a temporary PEM pass phrase and some information about your site:
vlager# openssl req -config openssl.cnf -new -out vbrew.csr Using configuration from openssl.cnf Generating a 1024 bit RSA private key ...............................++++++ ....++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) [ ]:Berkeley Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.vbrew.com Organizational Unit Name (eg, section) [ ]: Common Name (eg, YOUR name) [ ]:www.vbrew.com Email Address [ ]:webmaster@vbrew.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [ ]: An optional company name [ ]:
The next step is to remove the private key PEM pass phrase from your certificate. This will allow the server to restart without having to input the password. For paranoid administrators, this step can be bypassed, but should your server fail at any point, you will have to manually restart it.
vlager # openssl rsa -in privkey.pem -out vbrew.key
read RSA key
Enter PEM pass phrase:
writing RSA keyHaving separated the pass phrase, you will now need to self-sign your certificate file. This is accomplished using the x509 option with OpenSSL:
apache ssl # openssl x509 -in vbrew.csr -out vbrew.cert -req -signkey vbrew.key -days 365
Signature ok
subject=/C=US/ST=California/L=Berkeley/O=www.vbrew.com/CN=www.vbrew.com/
Email=webmaster@vbrew.com
Getting Private keyOnce this has been completed, your certificate is ready for use. You should copy the certificate files to your Apache directory so the web server can access them.
If you compiled Apache from source as in the earlier example in the chapter, you will need to patch the Apache source and recompile in order to use mod_ssl. If you installed Apache from a binary package for your Linux distributions, then there's a good chance that it is already compiled in. To see whether you need to recompile, check which modules are built into Apache by using the following command:
vlager # /var/www/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.cIn this case, mod_ssl is not present, so we will have to download and compile it into our Apache server. Fortunately, this isn't as difficult as it might sound. The source for mod_ssl can be found at http://www.modssl.org. You will need to unpack it along with the source to OpenSSL. For ease, we have put all three source trees under the same directory. When you have everything unpacked, you are ready to continue. First, you will need to configure the build of mod_ssl:
vlager # ./configure --with-apache=../apache_1.3.28 --with-openssl=../openssl-0.9.6i
Configuring mod_ssl/2.8.15 for Apache/1.3.28
+ Apache location: ../apache_1.3.28 (Version 1.3.28)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.Now, assuming that you built your OpenSSL from source and it is in line with your Apache source directory, you can configure and build Apache as follows:
vlager # cd ../apache_1.3.28 vlager # SSL_BASE=../openssl-0.9.6i ./configure -prefix=/var/www --enable-module=ssl Configuring for Apache, Version 1.3.28 + using installation path layout: Apache (config.layout) Creating Makefile Creating Configuration.apaci in src Creating Makefile in src + configured for Linux platform + setting C pre-processor to gcc -E + using "tr [a-z] [A-Z]" to uppercase + checking for system header files + adding selected modules o ssl_module uses ConfigStart/End + SSL interface: mod_ssl/2.8.15 + SSL interface build type: OBJ + SSL interface compatibility: enabled + SSL interface experimental code: disabled + SSL interface conservative code: disabled + SSL interface vendor extensions: disabled + SSL interface plugin: Built-in SDBM + SSL library path: /root/openssl-0.9.6i + SSL library version: OpenSSL 0.9.6i Feb 19 2003 + SSL library type: source tree only (stand-alone) + enabling Extended API (EAPI) + using system Expat + checking sizeof various data types + doing sanity check on compiler and options Creating Makefile in src/support Creating Makefile in src/regex Creating Makefile in src/os/unix Creating Makefile in src/ap Creating Makefile in src/main Creating Makefile in src/modules/standard Creating Makefile in src/modules/ssl
When the source configuration has completed, you can now rebuild Apache with make install. You can also repeat the httpd -l command used above to verify that mod_ssl has been compiled into Apache.
Only a few minor changes are required. The easiest way to enable SSL within Apache is by using the Virtual Host directives discussed earlier. However, first, outside of the Virtual Host section, at the end of your configuration file, you will need to add the following SSL directives:
SSLRandomSeed startup builtin SSLSessionCache None
Now you need to build your VirtualHost configuration to enable the SSL engine. Again, in the httpd.conf file, add the following lines:
<VirtualHost www.vbrew.com:443> SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:+EXP:+eNULL SSLCertificateFile conf/ssl/vbrew.cert SSLCertificateKeyFile conf/ssl/vbrew.key </VirtualHost>
This section enabled the SSLEngine and configured the cipher suites. You can select which you would like to allow or disallow. The "!" is used for entries that are explicitly disallowed, and the "+" is for those that are allowed. If you have stored your certificates in any other directory, you will need to make the necessary changes to the SSLCertificateFile and KeyFile entries. For more information about the options available with mod_ssl, consult the documentation found on the mod_ssl web site.