sysadmin/linux/howto-setup-apache_mod-ssl.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>howto setup apache + mod_ssl</title>
<link rel="stylesheet" href="http://netfrag.org/horde/css.php?app=chora" type="text/css" />
<link rev="made" href="mailto:root@localhost" />
</head>

<body>
<table border="0" width="100%" cellspacing="0" cellpadding="3">
<tr><td class="block" valign="middle">
<big><strong><span class="block">&nbsp;howto setup apache + mod_ssl</span></strong></big>
</td></tr>
</table>

<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->

<ul>

        <ul>

                <li><a href="#howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></li>
                <ul>

                        <li><a href="#description">Description</a></li>
                        <ul>

                                <li><a href="#install_(debian)">install (debian)</a></li>
                                <li><a href="#make_certificate">make certificate</a></li>
                                <li><a href="#configure_httpd.conf">configure httpd.conf</a></li>
                                <ul>

                                        <li><a href="#basic:">basic:</a></li>
                                        <li><a href="#optional:">optional:</a></li>
                                </ul>

                                <li><a href="#gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></li>
                                <li><a href="#modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></li>
                                <li><a href="#finally_start_apache..">finally start apache..</a></li>
                                <li><a href="#relative_http/https_switching">Relative HTTP/HTTPS switching</a></li>
                        </ul>

                        <li><a href="#resources_(read_for_further_configurations):">Resources (read for further configurations):</a></li>
                        <li><a href="#todo">ToDo</a></li>
                </ul>

        </ul>

</ul>
<!-- INDEX END -->

<hr />
<p>
</p>
<h2><a name="howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></h2>
<p>Sebastian Utz    <a&nbsp;href="mailto:seut@netfrag.org">seut@netfrag.org</a></p>
<p><strong>last changes</strong></p>
<pre>
  Revision 1.2  2003/01/22 18:37:22  jonen
    + added docu and references</pre>
<p>
</p>
<h3><a name="description">Description</a></h3>
<p>Example on how to install and configure Apache with mod_ssl</p>
<p>
</p>
<h4><a name="install_(debian)">install (debian)</a></h4>
<dl>
<dt><strong><a name="item_apache">Apache</a></strong><br />
</dt>
<dd>
<pre>
  - apt-get install apache apache-common</pre>
</dd>
<dt><strong><a name="item_mod_ssl">mod_ssl</a></strong><br />
</dt>
<dd>
<pre>
  - apt-get install libapache-mod-ssl</pre>
</dd>
</dl>
<p>
</p>
<h4><a name="make_certificate">make certificate</a></h4>
<pre>
  - run:
  /usr/lib/apache/mkcert.sh</pre>
<p>
</p>
<h4><a name="configure_httpd.conf">configure httpd.conf</a></h4>
<pre>
   (default Debian path: /etc/apache/httpd.conf)</pre>
<p>
</p>
<h5><a name="basic:">basic:</a></h5>
<pre>
  LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so</pre>
<pre>
  &lt;IfDefine SSL&gt;
    Listen 80
    Listen 443</pre>
<pre>
    SSLMutex <a href="file:/var/log/apache/ssl_mutex">file:/var/log/apache/ssl_mutex</a>
    SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
    SSLRandomSeed startup builtin</pre>
<pre>
    SSLLog /var/log/apache/ssl.log
    SSLLogLevel warn</pre>
<pre>
    &lt;VirtualHost _default_:443&gt;
      SSLEngine                   on
      SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
      SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
      SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
      SSLVerifyClient             none
    &lt;/VirtualHost&gt;
  &lt;/IfDefine&gt;</pre>
<p>
</p>
<h5><a name="optional:">optional:</a></h5>
<pre>
 example VirtualHost entry:
 
  &lt;VirtualHost your.domain.com:443&gt;
    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateFile conf/ssl.crt/server.crt
    ServerName your.domain.com
    ServerAlias domain.com
    DocumentRoot /var/lib/www/domain.com
    CustomLog /var/log/apache/access_log.your.domain.com combined
    ErrorLog /var/log/apache/error_log.your.domain.com
    SetEnvIf User-Agent &quot;.*MSIE.*&quot; \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    &lt;Files ~ &quot;\.(cgi|shtml|phtml|php3?|php|inc)$&quot;&gt;
          SSLOptions +StdEnvVars
    &lt;/Files&gt;
  &lt;/VirtualHost&gt;</pre>
<p>
</p>
<h4><a name="gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></h4>
<pre>
  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:</pre>
<pre>
    SSLPassPhraseDialog exec:/path/to/your_password_programm</pre>
<pre>
  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo &lt;your passphrase&gt;
  #------------------ end snip ----------------------</pre>
<pre>
  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm</pre>
<pre>
  But again, this would be very unsecure!!!</pre>
<p>
</p>
<h4><a name="modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></h4>
<pre>
    ('apachectl startssl' won't works at debian/testing for some reason....)</pre>
<pre>
  - edit /etc/init.d/apache:</pre>
<pre>
   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON</pre>
<pre>
   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL</pre>
<pre>
    in the WHOLE script!</pre>
<p></p>
<p>
</p>
<h4><a name="finally_start_apache..">finally start apache..</a></h4>
<pre>
  - run 
  /etc/init.d/apache start
  
  and you are in business... ;)</pre>
<p>
</p>
<h4><a name="relative_http/https_switching">Relative HTTP/HTTPS switching</a></h4>
<pre>
  Switch from HTTP to HTTPS and vice versa by using only relative URLs
  Benefit: Absolute URLs are avioded and this way the website is more flexible</pre>
<pre>
  #-------- sample httpd.conf snip -------------------------
  RewriteEngine        on
  RewriteCond          %{HTTPS} =on
  RewriteRule          ^/(.*):scheme=toggle$            <a href="http://%">http://%</a>{SERVER_NAME}/$1 [R,L]
  RewriteCond          %{HTTPS} !=on
  RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
  RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
  #------------- end snip -------------------------------------</pre>
<pre>
  #-------- sample page.html snip -------------------------
  &lt;a href=&quot;page.html:scheme=toggle&quot;&gt;
  &lt;a href=&quot;page.html:scheme=https&quot;&gt;
  &lt;a href=&quot;page.html:scheme=http&quot;&gt;
  #------------- end snip -------------------------------------</pre>
<p>
</p>
<h3><a name="resources_(read_for_further_configurations):">Resources (read for further configurations):</a></h3>
<dl>
<dt><strong><a name="item_security_solutions_with_ssl">Security Solutions with SSL</a></strong><br />
</dt>
<dd>
<pre>
  <a href="http://www.modssl.org/docs/apachecon2001/">http://www.modssl.org/docs/apachecon2001/</a></pre>
</dd>
<dt><strong><a name="item_apache%2eorg">Apache.org</a></strong><br />
</dt>
<dd>
<pre>
  <a href="http://www.apache.org">http://www.apache.org</a></pre>
</dd>
<dt><strong><a name="item_modssl%2eorg">modssl.org</a></strong><br />
</dt>
<dd>
<pre>
  <a href="http://www.modssl.org">http://www.modssl.org</a></pre>
</dd>
<dt><strong><a name="item_das_ssl%2dapache_handbuch">Das SSL-Apache Handbuch</a></strong><br />
</dt>
<dd>
<pre>
  <a href="http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html">http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html</a></pre>
</dd>
</dl>
<p>
</p>
<h3><a name="todo">ToDo</a></h3>
<pre>
  o explain installation from source
  o check out more config variations
  o check out more rewrite rules
  o read more docu
  o write more docu ;)</pre>
<p><a href="#__index__"><small>back to top</small></a></p>
<table border="0" width="100%" cellspacing="0" cellpadding="3">
<tr><td class="block" valign="middle">
<big><strong><span class="block">&nbsp;howto setup apache + mod_ssl</span></strong></big>
</td></tr>
</table>

</body>

</html>
1	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
2	<html xmlns="http://www.w3.org/1999/xhtml">
3	<head>
4	<title>howto setup apache + mod_ssl</title>
5	<link rel="stylesheet" href="http://netfrag.org/horde/css.php?app=chora" type="text/css" />
6	<link rev="made" href="mailto:root@localhost" />
7	</head>
8
9	<body>
10	<table border="0" width="100%" cellspacing="0" cellpadding="3">
11	<tr><td class="block" valign="middle">
12	<big><strong><span class="block"> howto setup apache + mod_ssl</span></strong></big>
13	</td></tr>
14	</table>
15
16	<p><a name="__index__"></a></p>
17	<!-- INDEX BEGIN -->
18
19	<ul>
20
21	<ul>
22
23	<li><a href="#howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></li>
24	<ul>
25
26	<li><a href="#description">Description</a></li>
27	<ul>
28
29	<li><a href="#install_(debian)">install (debian)</a></li>
30	<li><a href="#make_certificate">make certificate</a></li>
31	<li><a href="#configure_httpd.conf">configure httpd.conf</a></li>
32	<ul>
33
34	<li><a href="#basic:">basic:</a></li>
35	<li><a href="#optional:">optional:</a></li>
36	</ul>
37
38	<li><a href="#gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></li>
39	<li><a href="#modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></li>
40	<li><a href="#finally_start_apache..">finally start apache..</a></li>
41	<li><a href="#relative_http/https_switching">Relative HTTP/HTTPS switching</a></li>
42	</ul>
43
44	<li><a href="#resources_(read_for_further_configurations):">Resources (read for further configurations):</a></li>
45	<li><a href="#todo">ToDo</a></li>
46	</ul>
47
48	</ul>
49
50	</ul>
51	<!-- INDEX END -->
52
53	<hr />
54	<p>
55	</p>
56	<h2><a name="howto_setup_apache_+_mod_ssl">howto setup apache + mod_ssl</a></h2>
57	<p>Sebastian Utz <a href="mailto:seut@netfrag.org">seut@netfrag.org</a></p>
58	<p><strong>last changes</strong></p>
59	<pre>
60	Revision 1.2 2003/01/22 18:37:22 jonen
61	+ added docu and references</pre>
62	<p>
63	</p>
64	<h3><a name="description">Description</a></h3>
65	<p>Example on how to install and configure Apache with mod_ssl</p>
66	<p>
67	</p>
68	<h4><a name="install_(debian)">install (debian)</a></h4>
69	<dl>
70	<dt><strong><a name="item_apache">Apache</a></strong><br />
71	</dt>
72	<dd>
73	<pre>
74	- apt-get install apache apache-common</pre>
75	</dd>
76	<dt><strong><a name="item_mod_ssl">mod_ssl</a></strong><br />
77	</dt>
78	<dd>
79	<pre>
80	- apt-get install libapache-mod-ssl</pre>
81	</dd>
82	</dl>
83	<p>
84	</p>
85	<h4><a name="make_certificate">make certificate</a></h4>
86	<pre>
87	- run:
88	/usr/lib/apache/mkcert.sh</pre>
89	<p>
90	</p>
91	<h4><a name="configure_httpd.conf">configure httpd.conf</a></h4>
92	<pre>
93	(default Debian path: /etc/apache/httpd.conf)</pre>
94	<p>
95	</p>
96	<h5><a name="basic:">basic:</a></h5>
97	<pre>
98	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so</pre>
99	<pre>
100	<IfDefine SSL>
101	Listen 80
102	Listen 443</pre>
103	<pre>
104	SSLMutex <a href="file:/var/log/apache/ssl_mutex">file:/var/log/apache/ssl_mutex</a>
105	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
106	SSLRandomSeed startup builtin</pre>
107	<pre>
108	SSLLog /var/log/apache/ssl.log
109	SSLLogLevel warn</pre>
110	<pre>
111	<VirtualHost _default_:443>
112	SSLEngine on
113	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
114	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
115	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
116	SSLVerifyClient none
117	</VirtualHost>
118	</IfDefine></pre>
119	<p>
120	</p>
121	<h5><a name="optional:">optional:</a></h5>
122	<pre>
123	example VirtualHost entry:
124
125	<VirtualHost your.domain.com:443>
126	SSLEngine On
127	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
128	SSLCertificateKeyFile conf/ssl.key/server.key
129	SSLCertificateFile conf/ssl.crt/server.crt
130	ServerName your.domain.com
131	ServerAlias domain.com
132	DocumentRoot /var/lib/www/domain.com
133	CustomLog /var/log/apache/access_log.your.domain.com combined
134	ErrorLog /var/log/apache/error_log.your.domain.com
135	SetEnvIf User-Agent ".MSIE." \
136	nokeepalive ssl-unclean-shutdown \
137	downgrade-1.0 force-response-1.0
138	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
139	SSLOptions +StdEnvVars
140	</Files>
141	</VirtualHost></pre>
142	<p>
143	</p>
144	<h4><a name="gets_sslpassphrase_by_file_instead_of_prompt_for">gets SSLPassPhrase by file instead of prompt for</a></h4>
145	<pre>
146	Every start of apache require to enter the password for the above generated SSL key.
147	This can be annoying if you plan some automatic restart of apache.
148	There is a way to automatically give the password to apache with the option:</pre>
149	<pre>
150	SSLPassPhraseDialog exec:/path/to/your_password_programm</pre>
151	<pre>
152	But it's upt to you to write the password programm, be careful!!
153	Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
154	Easiest way would be e.g.
155
156	#-----------your_password_programm ---------
157	#!/bin/sh
158	echo <your passphrase>
159	#------------------ end snip ----------------------</pre>
160	<pre>
161	chmod 700 /path/to/your_password_programm
162	chown www-data.www-data /path/to/your_password_programm</pre>
163	<pre>
164	But again, this would be very unsecure!!!</pre>
165	<p>
166	</p>
167	<h4><a name="modify_apache_init_script_to_start_with_ssl">modify apache init script to start with ssl</a></h4>
168	<pre>
169	('apachectl startssl' won't works at debian/testing for some reason....)</pre>
170	<pre>
171	- edit /etc/init.d/apache:</pre>
172	<pre>
173	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON</pre>
174	<pre>
175	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL</pre>
176	<pre>
177	in the WHOLE script!</pre>
178	<p></p>
179	<p>
180	</p>
181	<h4><a name="finally_start_apache..">finally start apache..</a></h4>
182	<pre>
183	- run
184	/etc/init.d/apache start
185
186	and you are in business... ;)</pre>
187	<p>
188	</p>
189	<h4><a name="relative_http/https_switching">Relative HTTP/HTTPS switching</a></h4>
190	<pre>
191	Switch from HTTP to HTTPS and vice versa by using only relative URLs
192	Benefit: Absolute URLs are avioded and this way the website is more flexible</pre>
193	<pre>
194	#-------- sample httpd.conf snip -------------------------
195	RewriteEngine on
196	RewriteCond %{HTTPS} =on
197	RewriteRule ^/(.*):scheme=toggle$ <a href="http://%">http://%</a>{SERVER_NAME}/$1 [R,L]
198	RewriteCond %{HTTPS} !=on
199	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
200	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
201	#------------- end snip -------------------------------------</pre>
202	<pre>
203	#-------- sample page.html snip -------------------------
204	<a href="page.html:scheme=toggle">
205	<a href="page.html:scheme=https">
206	<a href="page.html:scheme=http">
207	#------------- end snip -------------------------------------</pre>
208	<p>
209	</p>
210	<h3><a name="resources_(read_for_further_configurations):">Resources (read for further configurations):</a></h3>
211	<dl>
212	<dt><strong><a name="item_security_solutions_with_ssl">Security Solutions with SSL</a></strong><br />
213	</dt>
214	<dd>
215	<pre>
216	<a href="http://www.modssl.org/docs/apachecon2001/">http://www.modssl.org/docs/apachecon2001/</a></pre>
217	</dd>
218	<dt><strong><a name="item_apache%2eorg">Apache.org</a></strong><br />
219	</dt>
220	<dd>
221	<pre>
222	<a href="http://www.apache.org">http://www.apache.org</a></pre>
223	</dd>
224	<dt><strong><a name="item_modssl%2eorg">modssl.org</a></strong><br />
225	</dt>
226	<dd>
227	<pre>
228	<a href="http://www.modssl.org">http://www.modssl.org</a></pre>
229	</dd>
230	<dt><strong><a name="item_das_ssl%2dapache_handbuch">Das SSL-Apache Handbuch</a></strong><br />
231	</dt>
232	<dd>
233	<pre>
234	<a href="http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html">http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html</a></pre>
235	</dd>
236	</dl>
237	<p>
238	</p>
239	<h3><a name="todo">ToDo</a></h3>
240	<pre>
241	o explain installation from source
242	o check out more config variations
243	o check out more rewrite rules
244	o read more docu
245	o write more docu ;)</pre>
246	<p><a href="#__index__"><small>back to top</small></a></p>
247	<table border="0" width="100%" cellspacing="0" cellpadding="3">
248	<tr><td class="block" valign="middle">
249	<big><strong><span class="block"> howto setup apache + mod_ssl</span></strong></big>
250	</td></tr>
251	</table>
252
253	</body>
254
255	</html>
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26