sysadmin/linux/howto-setup-apache_mod-ssl.pod

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
#
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################

=pod


=head2    howto setup apache + mod_ssl


=head3 Description

  Example on how to install and configure Apache with mod_ssl


=head4  install (debian)

=over

=item  Apache

  - apt-get install apache apache-common 

=item mod_ssl

  - apt-get install libapache-mod-ssl

=back


=head4  make certificate

  - run:
  /usr/lib/apache/mkcert.sh


=head4  configure httpd.conf  

   (default Debian path: /etc/apache/httpd.conf)


=head5 basic:

  LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

  <IfDefine SSL>
    Listen 80
    Listen 443

    SSLMutex file:/var/log/apache/ssl_mutex
    SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
    SSLRandomSeed startup builtin

    SSLLog /var/log/apache/ssl.log
    SSLLogLevel warn

    <VirtualHost _default_:443>
      SSLEngine                   on
      SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
      SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
      SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
      SSLVerifyClient             none
    </VirtualHost>
  </IfDefine>


=head5 optional:

 example VirtualHost entry:
 
  <VirtualHost your.domain.com:443>
    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateFile conf/ssl.crt/server.crt
    ServerName your.domain.com
    ServerAlias domain.com
    DocumentRoot /var/lib/www/domain.com
    CustomLog /var/log/apache/access_log.your.domain.com combined
    ErrorLog /var/log/apache/error_log.your.domain.com
    SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
          SSLOptions +StdEnvVars
    </Files>
  </VirtualHost>


=head4  gets SSLPassPhrase by file instead of prompt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


=head4  modify apache init script to start with ssl 

    ('apachectl startssl' won't works at debian/testing for some reason....)


  - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!

    
=head4  finally start apache..

  - run 
  /etc/init.d/apache start
  
  and you are in business... ;)


=head4  Relative HTTP/HTTPS switching

  Switch from HTTP to HTTPS and vice versa by using only relative URLs
  Benefit: Absolute URLs are avioded and this way the website is more flexible

  #-------- sample httpd.conf snip -------------------------
  RewriteEngine        on
  RewriteCond          %{HTTPS} =on
  RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
  RewriteCond          %{HTTPS} !=on
  RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
  RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
  #------------- end snip -------------------------------------

  #-------- sample page.html snip -------------------------
  <a href="page.html:scheme=toggle">
  <a href="page.html:scheme=https">
  <a href="page.html:scheme=http">
  #------------- end snip -------------------------------------


=head3  Resources (read for further configurations):

=over

=item  Security Solutions with SSL

  http://www.modssl.org/docs/apachecon2001/ 

=item  Apache.org

  http://www.apache.org

=item  modssl.org

  http://www.modssl.org


=item  Das SSL-Apache Handbuch

  http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html

=back


=head3  ToDo

  o explain installation from source
  o check out more config variations
  o check out more rewrite rules
  o read more docu
  o write more docu ;)


=head3 Authors

  Sebastian Utz  seut@tunemedia.de


=head3  last changes

  Revision 1.2  2003/01/22 18:37:22  jonen
    + added docu and references

  Revision 1.1  2003/01/22 17:47:49  jonen
    + first init


=cut

1	jonen	1.1	##################################################
2			# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
3			#
4			##################################################
5			#
6			# $Log: howto-setup-apache_mod-ssl.txt,v $
7			# Revision 1.2 2003/01/22 18:37:22 jonen
8			# + added docu and references
9			#
10			# Revision 1.1 2003/01/22 17:47:49 jonen
11			# + first init
12			#
13			#
14			##################################################
15
16			=pod
17
18
19			=head2 howto setup apache + mod_ssl
20
21
22			=head3 Description
23
24			Example on how to install and configure Apache with mod_ssl
25
26
27			=head4 install (debian)
28
29			=over
30
31			=item Apache
32
33			- apt-get install apache apache-common
34
35			=item mod_ssl
36
37			- apt-get install libapache-mod-ssl
38
39			=back
40
41
42			=head4 make certificate
43
44			- run:
45			/usr/lib/apache/mkcert.sh
46
47
48
49			=head4 configure httpd.conf
50
51			(default Debian path: /etc/apache/httpd.conf)
52
53
54			=head5 basic:
55
56			LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
57
58			<IfDefine SSL>
59			Listen 80
60			Listen 443
61
62			SSLMutex file:/var/log/apache/ssl_mutex
63			SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
64			SSLRandomSeed startup builtin
65
66			SSLLog /var/log/apache/ssl.log
67			SSLLogLevel warn
68
69			<VirtualHost _default_:443>
70			SSLEngine on
71			SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
72			SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
73			SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
74			SSLVerifyClient none
75			</VirtualHost>
76			</IfDefine>
77
78
79			=head5 optional:
80
81			example VirtualHost entry:
82
83			<VirtualHost your.domain.com:443>
84			SSLEngine On
85			SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
86			SSLCertificateKeyFile conf/ssl.key/server.key
87			SSLCertificateFile conf/ssl.crt/server.crt
88			ServerName your.domain.com
89			ServerAlias domain.com
90			DocumentRoot /var/lib/www/domain.com
91			CustomLog /var/log/apache/access_log.your.domain.com combined
92			ErrorLog /var/log/apache/error_log.your.domain.com
93			SetEnvIf User-Agent ".MSIE." \
94			nokeepalive ssl-unclean-shutdown \
95			downgrade-1.0 force-response-1.0
96			<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
97			SSLOptions +StdEnvVars
98			</Files>
99			</VirtualHost>
100
101
102
103			=head4 gets SSLPassPhrase by file instead of prompt for
104
105			Every start of apache require to enter the password for the above generated SSL key.
106			This can be annoying if you plan some automatic restart of apache.
107			There is a way to automatically give the password to apache with the option:
108
109			SSLPassPhraseDialog exec:/path/to/your_password_programm
110
111			But it's upt to you to write the password programm, be careful!!
112			Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
113			Easiest way would be e.g.
114
115			#-----------your_password_programm ---------
116			#!/bin/sh
117			echo <your passphrase>
118			#------------------ end snip ----------------------
119
120			chmod 700 /path/to/your_password_programm
121			chown www-data.www-data /path/to/your_password_programm
122
123
124			But again, this would be very unsecure!!!
125
126
127
128
129			=head4 modify apache init script to start with ssl
130
131			('apachectl startssl' won't works at debian/testing for some reason....)
132
133
134			- edit /etc/init.d/apache:
135
136			replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
137
138			with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
139
140			in the WHOLE script!
141
142
143
144			=head4 finally start apache..
145
146			- run
147			/etc/init.d/apache start
148
149			and you are in business... ;)
150
151
152			=head4 Relative HTTP/HTTPS switching
153
154			Switch from HTTP to HTTPS and vice versa by using only relative URLs
155			Benefit: Absolute URLs are avioded and this way the website is more flexible
156
157			#-------- sample httpd.conf snip -------------------------
158			RewriteEngine on
159			RewriteCond %{HTTPS} =on
160			RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
161			RewriteCond %{HTTPS} !=on
162			RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
163			RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
164			#------------- end snip -------------------------------------
165
166			#-------- sample page.html snip -------------------------
167			<a href="page.html:scheme=toggle">
168			<a href="page.html:scheme=https">
169			<a href="page.html:scheme=http">
170			#------------- end snip -------------------------------------
171
172
173
174			=head3 Resources (read for further configurations):
175
176			=over
177
178			=item Security Solutions with SSL
179
180			http://www.modssl.org/docs/apachecon2001/
181
182			=item Apache.org
183
184			http://www.apache.org
185
186			=item modssl.org
187
188			http://www.modssl.org
189
190
191			=item Das SSL-Apache Handbuch
192
193			http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
194
195			=back
196
197
198			=head3 ToDo
199
200			o explain installation from source
201			o check out more config variations
202			o check out more rewrite rules
203			o read more docu
204			o write more docu ;)
205
206
207			=head3 Authors
208
209			Sebastian Utz seut@tunemedia.de
210
211
212			=head3 last changes
213
214			Revision 1.2 2003/01/22 18:37:22 jonen
215			+ added docu and references
216
217			Revision 1.1 2003/01/22 17:47:49 jonen
218			+ first init
219
220
221			=cut
222
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26