1 |
jonen |
1.1 |
################################################## |
2 |
jonen |
1.2 |
# $Id: howto-setup-apache_mod-ssl.pod,v 1.1 2003/01/25 08:43:21 jonen Exp $ |
3 |
jonen |
1.1 |
# |
4 |
|
|
################################################## |
5 |
|
|
# |
6 |
jonen |
1.2 |
# $Log: howto-setup-apache_mod-ssl.pod,v $ |
7 |
|
|
# Revision 1.1 2003/01/25 08:43:21 jonen |
8 |
|
|
# + moved/convert to perlpod format |
9 |
|
|
# |
10 |
jonen |
1.1 |
# Revision 1.2 2003/01/22 18:37:22 jonen |
11 |
|
|
# + added docu and references |
12 |
|
|
# |
13 |
|
|
# Revision 1.1 2003/01/22 17:47:49 jonen |
14 |
|
|
# + first init |
15 |
|
|
# |
16 |
|
|
# |
17 |
|
|
################################################## |
18 |
|
|
|
19 |
|
|
=pod |
20 |
|
|
|
21 |
|
|
|
22 |
|
|
=head2 howto setup apache + mod_ssl |
23 |
|
|
|
24 |
jonen |
1.2 |
Sebastian Utz S<seut@netfrag.org> |
25 |
|
|
|
26 |
|
|
|
27 |
|
|
B<last changes> |
28 |
|
|
|
29 |
|
|
Revision 1.2 2003/01/22 18:37:22 jonen |
30 |
|
|
+ added docu and references |
31 |
|
|
|
32 |
jonen |
1.1 |
|
33 |
|
|
=head3 Description |
34 |
|
|
|
35 |
jonen |
1.2 |
Example on how to install and configure Apache with mod_ssl |
36 |
jonen |
1.1 |
|
37 |
|
|
|
38 |
|
|
=head4 install (debian) |
39 |
|
|
|
40 |
|
|
=over |
41 |
|
|
|
42 |
|
|
=item Apache |
43 |
|
|
|
44 |
|
|
- apt-get install apache apache-common |
45 |
|
|
|
46 |
|
|
=item mod_ssl |
47 |
|
|
|
48 |
|
|
- apt-get install libapache-mod-ssl |
49 |
|
|
|
50 |
|
|
=back |
51 |
|
|
|
52 |
|
|
|
53 |
|
|
=head4 make certificate |
54 |
|
|
|
55 |
|
|
- run: |
56 |
|
|
/usr/lib/apache/mkcert.sh |
57 |
|
|
|
58 |
|
|
|
59 |
|
|
|
60 |
|
|
=head4 configure httpd.conf |
61 |
|
|
|
62 |
|
|
(default Debian path: /etc/apache/httpd.conf) |
63 |
|
|
|
64 |
|
|
|
65 |
|
|
=head5 basic: |
66 |
|
|
|
67 |
|
|
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so |
68 |
|
|
|
69 |
|
|
<IfDefine SSL> |
70 |
|
|
Listen 80 |
71 |
|
|
Listen 443 |
72 |
|
|
|
73 |
|
|
SSLMutex file:/var/log/apache/ssl_mutex |
74 |
|
|
SSLSessionCache dbm:/var/log/apache/ssl_gcache_data |
75 |
|
|
SSLRandomSeed startup builtin |
76 |
|
|
|
77 |
|
|
SSLLog /var/log/apache/ssl.log |
78 |
|
|
SSLLogLevel warn |
79 |
|
|
|
80 |
|
|
<VirtualHost _default_:443> |
81 |
|
|
SSLEngine on |
82 |
|
|
SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key |
83 |
|
|
SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt |
84 |
|
|
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL |
85 |
|
|
SSLVerifyClient none |
86 |
|
|
</VirtualHost> |
87 |
|
|
</IfDefine> |
88 |
|
|
|
89 |
|
|
|
90 |
|
|
=head5 optional: |
91 |
|
|
|
92 |
|
|
example VirtualHost entry: |
93 |
|
|
|
94 |
|
|
<VirtualHost your.domain.com:443> |
95 |
|
|
SSLEngine On |
96 |
|
|
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$ |
97 |
|
|
SSLCertificateKeyFile conf/ssl.key/server.key |
98 |
|
|
SSLCertificateFile conf/ssl.crt/server.crt |
99 |
|
|
ServerName your.domain.com |
100 |
|
|
ServerAlias domain.com |
101 |
|
|
DocumentRoot /var/lib/www/domain.com |
102 |
|
|
CustomLog /var/log/apache/access_log.your.domain.com combined |
103 |
|
|
ErrorLog /var/log/apache/error_log.your.domain.com |
104 |
|
|
SetEnvIf User-Agent ".*MSIE.*" \ |
105 |
|
|
nokeepalive ssl-unclean-shutdown \ |
106 |
|
|
downgrade-1.0 force-response-1.0 |
107 |
|
|
<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$"> |
108 |
|
|
SSLOptions +StdEnvVars |
109 |
|
|
</Files> |
110 |
|
|
</VirtualHost> |
111 |
|
|
|
112 |
|
|
|
113 |
|
|
|
114 |
|
|
=head4 gets SSLPassPhrase by file instead of prompt for |
115 |
|
|
|
116 |
|
|
Every start of apache require to enter the password for the above generated SSL key. |
117 |
|
|
This can be annoying if you plan some automatic restart of apache. |
118 |
|
|
There is a way to automatically give the password to apache with the option: |
119 |
|
|
|
120 |
|
|
SSLPassPhraseDialog exec:/path/to/your_password_programm |
121 |
|
|
|
122 |
|
|
But it's upt to you to write the password programm, be careful!! |
123 |
|
|
Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!! |
124 |
|
|
Easiest way would be e.g. |
125 |
|
|
|
126 |
|
|
#-----------your_password_programm --------- |
127 |
|
|
#!/bin/sh |
128 |
|
|
echo <your passphrase> |
129 |
|
|
#------------------ end snip ---------------------- |
130 |
|
|
|
131 |
|
|
chmod 700 /path/to/your_password_programm |
132 |
|
|
chown www-data.www-data /path/to/your_password_programm |
133 |
|
|
|
134 |
|
|
|
135 |
|
|
But again, this would be very unsecure!!! |
136 |
|
|
|
137 |
|
|
|
138 |
|
|
|
139 |
|
|
|
140 |
|
|
=head4 modify apache init script to start with ssl |
141 |
|
|
|
142 |
|
|
('apachectl startssl' won't works at debian/testing for some reason....) |
143 |
|
|
|
144 |
|
|
|
145 |
|
|
- edit /etc/init.d/apache: |
146 |
|
|
|
147 |
|
|
replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON |
148 |
|
|
|
149 |
|
|
with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL |
150 |
|
|
|
151 |
|
|
in the WHOLE script! |
152 |
|
|
|
153 |
|
|
|
154 |
|
|
|
155 |
|
|
=head4 finally start apache.. |
156 |
|
|
|
157 |
|
|
- run |
158 |
|
|
/etc/init.d/apache start |
159 |
|
|
|
160 |
|
|
and you are in business... ;) |
161 |
|
|
|
162 |
|
|
|
163 |
|
|
=head4 Relative HTTP/HTTPS switching |
164 |
|
|
|
165 |
|
|
Switch from HTTP to HTTPS and vice versa by using only relative URLs |
166 |
|
|
Benefit: Absolute URLs are avioded and this way the website is more flexible |
167 |
|
|
|
168 |
|
|
#-------- sample httpd.conf snip ------------------------- |
169 |
|
|
RewriteEngine on |
170 |
|
|
RewriteCond %{HTTPS} =on |
171 |
|
|
RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L] |
172 |
|
|
RewriteCond %{HTTPS} !=on |
173 |
|
|
RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L] |
174 |
|
|
RewriteRule ^/(.*):scheme=(http|https)$ $2://%{SERVER_NAME}/$1 [R,L] |
175 |
|
|
#------------- end snip ------------------------------------- |
176 |
|
|
|
177 |
|
|
#-------- sample page.html snip ------------------------- |
178 |
|
|
<a href="page.html:scheme=toggle"> |
179 |
|
|
<a href="page.html:scheme=https"> |
180 |
|
|
<a href="page.html:scheme=http"> |
181 |
|
|
#------------- end snip ------------------------------------- |
182 |
|
|
|
183 |
|
|
|
184 |
|
|
|
185 |
|
|
=head3 Resources (read for further configurations): |
186 |
|
|
|
187 |
|
|
=over |
188 |
|
|
|
189 |
|
|
=item Security Solutions with SSL |
190 |
|
|
|
191 |
|
|
http://www.modssl.org/docs/apachecon2001/ |
192 |
|
|
|
193 |
|
|
=item Apache.org |
194 |
|
|
|
195 |
|
|
http://www.apache.org |
196 |
|
|
|
197 |
|
|
=item modssl.org |
198 |
|
|
|
199 |
|
|
http://www.modssl.org |
200 |
|
|
|
201 |
|
|
|
202 |
|
|
=item Das SSL-Apache Handbuch |
203 |
|
|
|
204 |
|
|
http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html |
205 |
|
|
|
206 |
|
|
=back |
207 |
|
|
|
208 |
|
|
|
209 |
|
|
=head3 ToDo |
210 |
|
|
|
211 |
|
|
o explain installation from source |
212 |
|
|
o check out more config variations |
213 |
|
|
o check out more rewrite rules |
214 |
|
|
o read more docu |
215 |
|
|
o write more docu ;) |
216 |
|
|
|
217 |
|
|
|
218 |
|
|
|
219 |
|
|
|
220 |
|
|
=cut |
221 |
|
|
|