/[cvs]/nfo/doc/computing/sysadmin/linux/howto-setup-apache_mod-ssl.html
ViewVC logotype

Annotation of /nfo/doc/computing/sysadmin/linux/howto-setup-apache_mod-ssl.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (hide annotations)
Sat Jan 25 08:43:21 2003 UTC (21 years, 11 months ago) by jonen
Branch: MAIN
File MIME type: text/html 
+ moved/convert to perlpod format
1 jonen 1.1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
2     <html xmlns="http://www.w3.org/1999/xhtml">
3     <head>
4     <title>howto setup apache + mod_ssl</title>
5     <link rev="made" href="mailto:root@localhost" />
6     </head>
7    
8     <body style="background-color: white">
9    
10     <p><a name="__index__"></a></p>
11     <!-- INDEX BEGIN -->
12    
13     <ul>
14    
15     <ul>
16    
17     <li><a href="#howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></li>
18     <ul>
19    
20     <li><a href="#description">Description</a></li>
21     <ul>
22    
23     <li><a href="#install_(debian)">install (debian)</a></li>
24     <li><a href="#make_certificate">make certificate</a></li>
25     <li><a href="#configure_httpd.conf">configure httpd.conf</a></li>
26     <ul>
27    
28     <li><a href="#basic:">basic:</a></li>
29     <li><a href="#optional:">optional:</a></li>
30     </ul>
31    
32     <li><a href="#gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></li>
33     <li><a href="#modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></li>
34     <li><a href="#finally_start_apache..">finally start apache..</a></li>
35     <li><a href="#relative_http/https_switching">Relative HTTP/HTTPS switching</a></li>
36     </ul>
37    
38     <li><a href="#resources_(read_for_further_configurations):">Resources (read for further configurations):</a></li>
39     <li><a href="#todo">ToDo</a></li>
40     <li><a href="#authors">Authors</a></li>
41     <li><a href="#last_changes">last changes</a></li>
42     </ul>
43    
44     </ul>
45    
46     </ul>
47     <!-- INDEX END -->
48    
49     <hr />
50     <p>
51     </p>
52     <h2><a name="howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></h2>
53     <p>
54     </p>
55     <h3><a name="description">Description</a></h3>
56     <pre>
57     Example on how to install and configure Apache with mod_ssl</pre>
58     <p>
59     </p>
60     <h4><a name="install_(debian)">install (debian)</a></h4>
61     <dl>
62     <dt><strong><a name="item_apache">Apache</a></strong><br />
63     </dt>
64     <dd>
65     <pre>
66     - apt-get install apache apache-common</pre>
67     </dd>
68     <dt><strong><a name="item_mod_ssl">mod_ssl</a></strong><br />
69     </dt>
70     <dd>
71     <pre>
72     - apt-get install libapache-mod-ssl</pre>
73     </dd>
74     </dl>
75     <p>
76     </p>
77     <h4><a name="make_certificate">make certificate</a></h4>
78     <pre>
79     - run:
80     /usr/lib/apache/mkcert.sh</pre>
81     <p>
82     </p>
83     <h4><a name="configure_httpd.conf">configure httpd.conf</a></h4>
84     <pre>
85     (default Debian path: /etc/apache/httpd.conf)</pre>
86     <p>
87     </p>
88     <h5><a name="basic:">basic:</a></h5>
89     <pre>
90     LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so</pre>
91     <pre>
92     &lt;IfDefine SSL&gt;
93     Listen 80
94     Listen 443</pre>
95     <pre>
96     SSLMutex <a href="file:/var/log/apache/ssl_mutex">file:/var/log/apache/ssl_mutex</a>
97     SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
98     SSLRandomSeed startup builtin</pre>
99     <pre>
100     SSLLog /var/log/apache/ssl.log
101     SSLLogLevel warn</pre>
102     <pre>
103     &lt;VirtualHost _default_:443&gt;
104     SSLEngine on
105     SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
106     SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
107     SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
108     SSLVerifyClient none
109     &lt;/VirtualHost&gt;
110     &lt;/IfDefine&gt;</pre>
111     <p>
112     </p>
113     <h5><a name="optional:">optional:</a></h5>
114     <pre>
115     example VirtualHost entry:
116    
117     &lt;VirtualHost your.domain.com:443&gt;
118     SSLEngine On
119     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
120     SSLCertificateKeyFile conf/ssl.key/server.key
121     SSLCertificateFile conf/ssl.crt/server.crt
122     ServerName your.domain.com
123     ServerAlias domain.com
124     DocumentRoot /var/lib/www/domain.com
125     CustomLog /var/log/apache/access_log.your.domain.com combined
126     ErrorLog /var/log/apache/error_log.your.domain.com
127     SetEnvIf User-Agent &quot;.*MSIE.*&quot; \
128     nokeepalive ssl-unclean-shutdown \
129     downgrade-1.0 force-response-1.0
130     &lt;Files ~ &quot;\.(cgi|shtml|phtml|php3?|php|inc)$&quot;&gt;
131     SSLOptions +StdEnvVars
132     &lt;/Files&gt;
133     &lt;/VirtualHost&gt;</pre>
134     <p>
135     </p>
136     <h4><a name="gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></h4>
137     <pre>
138     Every start of apache require to enter the password for the above generated SSL key.
139     This can be annoying if you plan some automatic restart of apache.
140     There is a way to automatically give the password to apache with the option:</pre>
141     <pre>
142     SSLPassPhraseDialog exec:/path/to/your_password_programm</pre>
143     <pre>
144     But it's upt to you to write the password programm, be careful!!
145     Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
146     Easiest way would be e.g.
147    
148     #-----------your_password_programm ---------
149     #!/bin/sh
150     echo &lt;your passphrase&gt;
151     #------------------ end snip ----------------------</pre>
152     <pre>
153     chmod 700 /path/to/your_password_programm
154     chown www-data.www-data /path/to/your_password_programm</pre>
155     <pre>
156     But again, this would be very unsecure!!!</pre>
157     <p>
158     </p>
159     <h4><a name="modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></h4>
160     <pre>
161     ('apachectl startssl' won't works at debian/testing for some reason....)</pre>
162     <pre>
163     - edit /etc/init.d/apache:</pre>
164     <pre>
165     replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON</pre>
166     <pre>
167     with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL</pre>
168     <pre>
169     in the WHOLE script!</pre>
170     <p></p>
171     <p>
172     </p>
173     <h4><a name="finally_start_apache..">finally start apache..</a></h4>
174     <pre>
175     - run
176     /etc/init.d/apache start
177    
178     and you are in business... ;)</pre>
179     <p>
180     </p>
181     <h4><a name="relative_http/https_switching">Relative HTTP/HTTPS switching</a></h4>
182     <pre>
183     Switch from HTTP to HTTPS and vice versa by using only relative URLs
184     Benefit: Absolute URLs are avioded and this way the website is more flexible</pre>
185     <pre>
186     #-------- sample httpd.conf snip -------------------------
187     RewriteEngine on
188     RewriteCond %{HTTPS} =on
189     RewriteRule ^/(.*):scheme=toggle$ <a href="http://%">http://%</a>{SERVER_NAME}/$1 [R,L]
190     RewriteCond %{HTTPS} !=on
191     RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
192     RewriteRule ^/(.*):scheme=(http|https)$ $2://%{SERVER_NAME}/$1 [R,L]
193     #------------- end snip -------------------------------------</pre>
194     <pre>
195     #-------- sample page.html snip -------------------------
196     &lt;a href=&quot;page.html:scheme=toggle&quot;&gt;
197     &lt;a href=&quot;page.html:scheme=https&quot;&gt;
198     &lt;a href=&quot;page.html:scheme=http&quot;&gt;
199     #------------- end snip -------------------------------------</pre>
200     <p>
201     </p>
202     <h3><a name="resources_(read_for_further_configurations):">Resources (read for further configurations):</a></h3>
203     <dl>
204     <dt><strong><a name="item_security_solutions_with_ssl">Security Solutions with SSL</a></strong><br />
205     </dt>
206     <dd>
207     <pre>
208     <a href="http://www.modssl.org/docs/apachecon2001/">http://www.modssl.org/docs/apachecon2001/</a></pre>
209     </dd>
210     <dt><strong><a name="item_apache%2eorg">Apache.org</a></strong><br />
211     </dt>
212     <dd>
213     <pre>
214     <a href="http://www.apache.org">http://www.apache.org</a></pre>
215     </dd>
216     <dt><strong><a name="item_modssl%2eorg">modssl.org</a></strong><br />
217     </dt>
218     <dd>
219     <pre>
220     <a href="http://www.modssl.org">http://www.modssl.org</a></pre>
221     </dd>
222     <dt><strong><a name="item_das_ssl%2dapache_handbuch">Das SSL-Apache Handbuch</a></strong><br />
223     </dt>
224     <dd>
225     <pre>
226     <a href="http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html">http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html</a></pre>
227     </dd>
228     </dl>
229     <p>
230     </p>
231     <h3><a name="todo">ToDo</a></h3>
232     <pre>
233     o explain installation from source
234     o check out more config variations
235     o check out more rewrite rules
236     o read more docu
237     o write more docu ;)</pre>
238     <p>
239     </p>
240     <h3><a name="authors">Authors</a></h3>
241     <pre>
242     Sebastian Utz seut@tunemedia.de</pre>
243     <p>
244     </p>
245     <h3><a name="last_changes">last changes</a></h3>
246     <pre>
247     Revision 1.2 2003/01/22 18:37:22 jonen
248     + added docu and references</pre>
249     <pre>
250     Revision 1.1 2003/01/22 17:47:49 jonen
251     + first init</pre>
252    
253     </body>
254    
255     </html>
MailToCvsAdmin">MailToCvsAdmin
 ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed