1 |
jonen |
1.1 |
################################################## |
2 |
|
|
# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $ |
3 |
|
|
# |
4 |
|
|
################################################## |
5 |
|
|
# |
6 |
|
|
# $Log: howto-setup-apache_mod-ssl.txt,v $ |
7 |
|
|
# Revision 1.2 2003/01/22 18:37:22 jonen |
8 |
|
|
# + added docu and references |
9 |
|
|
# |
10 |
|
|
# Revision 1.1 2003/01/22 17:47:49 jonen |
11 |
|
|
# + first init |
12 |
|
|
# |
13 |
|
|
# |
14 |
|
|
################################################## |
15 |
|
|
|
16 |
|
|
=pod |
17 |
|
|
|
18 |
|
|
|
19 |
|
|
=head2 howto setup apache + mod_ssl |
20 |
|
|
|
21 |
|
|
|
22 |
|
|
=head3 Description |
23 |
|
|
|
24 |
|
|
Example on how to install and configure Apache with mod_ssl |
25 |
|
|
|
26 |
|
|
|
27 |
|
|
=head4 install (debian) |
28 |
|
|
|
29 |
|
|
=over |
30 |
|
|
|
31 |
|
|
=item Apache |
32 |
|
|
|
33 |
|
|
- apt-get install apache apache-common |
34 |
|
|
|
35 |
|
|
=item mod_ssl |
36 |
|
|
|
37 |
|
|
- apt-get install libapache-mod-ssl |
38 |
|
|
|
39 |
|
|
=back |
40 |
|
|
|
41 |
|
|
|
42 |
|
|
=head4 make certificate |
43 |
|
|
|
44 |
|
|
- run: |
45 |
|
|
/usr/lib/apache/mkcert.sh |
46 |
|
|
|
47 |
|
|
|
48 |
|
|
|
49 |
|
|
=head4 configure httpd.conf |
50 |
|
|
|
51 |
|
|
(default Debian path: /etc/apache/httpd.conf) |
52 |
|
|
|
53 |
|
|
|
54 |
|
|
=head5 basic: |
55 |
|
|
|
56 |
|
|
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so |
57 |
|
|
|
58 |
|
|
<IfDefine SSL> |
59 |
|
|
Listen 80 |
60 |
|
|
Listen 443 |
61 |
|
|
|
62 |
|
|
SSLMutex file:/var/log/apache/ssl_mutex |
63 |
|
|
SSLSessionCache dbm:/var/log/apache/ssl_gcache_data |
64 |
|
|
SSLRandomSeed startup builtin |
65 |
|
|
|
66 |
|
|
SSLLog /var/log/apache/ssl.log |
67 |
|
|
SSLLogLevel warn |
68 |
|
|
|
69 |
|
|
<VirtualHost _default_:443> |
70 |
|
|
SSLEngine on |
71 |
|
|
SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key |
72 |
|
|
SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt |
73 |
|
|
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL |
74 |
|
|
SSLVerifyClient none |
75 |
|
|
</VirtualHost> |
76 |
|
|
</IfDefine> |
77 |
|
|
|
78 |
|
|
|
79 |
|
|
=head5 optional: |
80 |
|
|
|
81 |
|
|
example VirtualHost entry: |
82 |
|
|
|
83 |
|
|
<VirtualHost your.domain.com:443> |
84 |
|
|
SSLEngine On |
85 |
|
|
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$ |
86 |
|
|
SSLCertificateKeyFile conf/ssl.key/server.key |
87 |
|
|
SSLCertificateFile conf/ssl.crt/server.crt |
88 |
|
|
ServerName your.domain.com |
89 |
|
|
ServerAlias domain.com |
90 |
|
|
DocumentRoot /var/lib/www/domain.com |
91 |
|
|
CustomLog /var/log/apache/access_log.your.domain.com combined |
92 |
|
|
ErrorLog /var/log/apache/error_log.your.domain.com |
93 |
|
|
SetEnvIf User-Agent ".*MSIE.*" \ |
94 |
|
|
nokeepalive ssl-unclean-shutdown \ |
95 |
|
|
downgrade-1.0 force-response-1.0 |
96 |
|
|
<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$"> |
97 |
|
|
SSLOptions +StdEnvVars |
98 |
|
|
</Files> |
99 |
|
|
</VirtualHost> |
100 |
|
|
|
101 |
|
|
|
102 |
|
|
|
103 |
|
|
=head4 gets SSLPassPhrase by file instead of prompt for |
104 |
|
|
|
105 |
|
|
Every start of apache require to enter the password for the above generated SSL key. |
106 |
|
|
This can be annoying if you plan some automatic restart of apache. |
107 |
|
|
There is a way to automatically give the password to apache with the option: |
108 |
|
|
|
109 |
|
|
SSLPassPhraseDialog exec:/path/to/your_password_programm |
110 |
|
|
|
111 |
|
|
But it's upt to you to write the password programm, be careful!! |
112 |
|
|
Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!! |
113 |
|
|
Easiest way would be e.g. |
114 |
|
|
|
115 |
|
|
#-----------your_password_programm --------- |
116 |
|
|
#!/bin/sh |
117 |
|
|
echo <your passphrase> |
118 |
|
|
#------------------ end snip ---------------------- |
119 |
|
|
|
120 |
|
|
chmod 700 /path/to/your_password_programm |
121 |
|
|
chown www-data.www-data /path/to/your_password_programm |
122 |
|
|
|
123 |
|
|
|
124 |
|
|
But again, this would be very unsecure!!! |
125 |
|
|
|
126 |
|
|
|
127 |
|
|
|
128 |
|
|
|
129 |
|
|
=head4 modify apache init script to start with ssl |
130 |
|
|
|
131 |
|
|
('apachectl startssl' won't works at debian/testing for some reason....) |
132 |
|
|
|
133 |
|
|
|
134 |
|
|
- edit /etc/init.d/apache: |
135 |
|
|
|
136 |
|
|
replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON |
137 |
|
|
|
138 |
|
|
with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL |
139 |
|
|
|
140 |
|
|
in the WHOLE script! |
141 |
|
|
|
142 |
|
|
|
143 |
|
|
|
144 |
|
|
=head4 finally start apache.. |
145 |
|
|
|
146 |
|
|
- run |
147 |
|
|
/etc/init.d/apache start |
148 |
|
|
|
149 |
|
|
and you are in business... ;) |
150 |
|
|
|
151 |
|
|
|
152 |
|
|
=head4 Relative HTTP/HTTPS switching |
153 |
|
|
|
154 |
|
|
Switch from HTTP to HTTPS and vice versa by using only relative URLs |
155 |
|
|
Benefit: Absolute URLs are avioded and this way the website is more flexible |
156 |
|
|
|
157 |
|
|
#-------- sample httpd.conf snip ------------------------- |
158 |
|
|
RewriteEngine on |
159 |
|
|
RewriteCond %{HTTPS} =on |
160 |
|
|
RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L] |
161 |
|
|
RewriteCond %{HTTPS} !=on |
162 |
|
|
RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L] |
163 |
|
|
RewriteRule ^/(.*):scheme=(http|https)$ $2://%{SERVER_NAME}/$1 [R,L] |
164 |
|
|
#------------- end snip ------------------------------------- |
165 |
|
|
|
166 |
|
|
#-------- sample page.html snip ------------------------- |
167 |
|
|
<a href="page.html:scheme=toggle"> |
168 |
|
|
<a href="page.html:scheme=https"> |
169 |
|
|
<a href="page.html:scheme=http"> |
170 |
|
|
#------------- end snip ------------------------------------- |
171 |
|
|
|
172 |
|
|
|
173 |
|
|
|
174 |
|
|
=head3 Resources (read for further configurations): |
175 |
|
|
|
176 |
|
|
=over |
177 |
|
|
|
178 |
|
|
=item Security Solutions with SSL |
179 |
|
|
|
180 |
|
|
http://www.modssl.org/docs/apachecon2001/ |
181 |
|
|
|
182 |
|
|
=item Apache.org |
183 |
|
|
|
184 |
|
|
http://www.apache.org |
185 |
|
|
|
186 |
|
|
=item modssl.org |
187 |
|
|
|
188 |
|
|
http://www.modssl.org |
189 |
|
|
|
190 |
|
|
|
191 |
|
|
=item Das SSL-Apache Handbuch |
192 |
|
|
|
193 |
|
|
http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html |
194 |
|
|
|
195 |
|
|
=back |
196 |
|
|
|
197 |
|
|
|
198 |
|
|
=head3 ToDo |
199 |
|
|
|
200 |
|
|
o explain installation from source |
201 |
|
|
o check out more config variations |
202 |
|
|
o check out more rewrite rules |
203 |
|
|
o read more docu |
204 |
|
|
o write more docu ;) |
205 |
|
|
|
206 |
|
|
|
207 |
|
|
=head3 Authors |
208 |
|
|
|
209 |
|
|
Sebastian Utz seut@tunemedia.de |
210 |
|
|
|
211 |
|
|
|
212 |
|
|
=head3 last changes |
213 |
|
|
|
214 |
|
|
Revision 1.2 2003/01/22 18:37:22 jonen |
215 |
|
|
+ added docu and references |
216 |
|
|
|
217 |
|
|
Revision 1.1 2003/01/22 17:47:49 jonen |
218 |
|
|
+ first init |
219 |
|
|
|
220 |
|
|
|
221 |
|
|
=cut |
222 |
|
|
|