sysadmin/linux/howto-setup-apache_mod-ssl.pod

##################################################
# $Id: howto-setup-apache_mod-ssl.pod,v 1.1 2003/01/25 08:43:21 jonen Exp $
#
##################################################
#
# $Log: howto-setup-apache_mod-ssl.pod,v $
# Revision 1.1  2003/01/25 08:43:21  jonen
# + moved/convert to perlpod format
#
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################

=pod


=head2    howto setup apache + mod_ssl

Sebastian Utz    S<seut@netfrag.org>


B<last changes>

  Revision 1.2  2003/01/22 18:37:22  jonen
    + added docu and references


=head3 Description

Example on how to install and configure Apache with mod_ssl


=head4  install (debian)

=over

=item  Apache

  - apt-get install apache apache-common 

=item mod_ssl

  - apt-get install libapache-mod-ssl

=back


=head4  make certificate

  - run:
  /usr/lib/apache/mkcert.sh


=head4  configure httpd.conf  

   (default Debian path: /etc/apache/httpd.conf)


=head5 basic:

  LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

  <IfDefine SSL>
    Listen 80
    Listen 443

    SSLMutex file:/var/log/apache/ssl_mutex
    SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
    SSLRandomSeed startup builtin

    SSLLog /var/log/apache/ssl.log
    SSLLogLevel warn

    <VirtualHost _default_:443>
      SSLEngine                   on
      SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
      SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
      SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
      SSLVerifyClient             none
    </VirtualHost>
  </IfDefine>


=head5 optional:

 example VirtualHost entry:
 
  <VirtualHost your.domain.com:443>
    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateFile conf/ssl.crt/server.crt
    ServerName your.domain.com
    ServerAlias domain.com
    DocumentRoot /var/lib/www/domain.com
    CustomLog /var/log/apache/access_log.your.domain.com combined
    ErrorLog /var/log/apache/error_log.your.domain.com
    SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
          SSLOptions +StdEnvVars
    </Files>
  </VirtualHost>


=head4  gets SSLPassPhrase by file instead of prompt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


=head4  modify apache init script to start with ssl 

    ('apachectl startssl' won't works at debian/testing for some reason....)


  - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!

    
=head4  finally start apache..

  - run 
  /etc/init.d/apache start
  
  and you are in business... ;)


=head4  Relative HTTP/HTTPS switching

  Switch from HTTP to HTTPS and vice versa by using only relative URLs
  Benefit: Absolute URLs are avioded and this way the website is more flexible

  #-------- sample httpd.conf snip -------------------------
  RewriteEngine        on
  RewriteCond          %{HTTPS} =on
  RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
  RewriteCond          %{HTTPS} !=on
  RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
  RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
  #------------- end snip -------------------------------------

  #-------- sample page.html snip -------------------------
  <a href="page.html:scheme=toggle">
  <a href="page.html:scheme=https">
  <a href="page.html:scheme=http">
  #------------- end snip -------------------------------------


=head3  Resources (read for further configurations):

=over

=item  Security Solutions with SSL

  http://www.modssl.org/docs/apachecon2001/ 

=item  Apache.org

  http://www.apache.org

=item  modssl.org

  http://www.modssl.org


=item  Das SSL-Apache Handbuch

  http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html

=back


=head3  ToDo

  o explain installation from source
  o check out more config variations
  o check out more rewrite rules
  o read more docu
  o write more docu ;)


=cut

1	jonen	1.1	##################################################
2	jonen	1.2	# $Id: howto-setup-apache_mod-ssl.pod,v 1.1 2003/01/25 08:43:21 jonen Exp $
3	jonen	1.1	#
4			##################################################
5			#
6	jonen	1.2	# $Log: howto-setup-apache_mod-ssl.pod,v $
7			# Revision 1.1 2003/01/25 08:43:21 jonen
8			# + moved/convert to perlpod format
9			#
10	jonen	1.1	# Revision 1.2 2003/01/22 18:37:22 jonen
11			# + added docu and references
12			#
13			# Revision 1.1 2003/01/22 17:47:49 jonen
14			# + first init
15			#
16			#
17			##################################################
18
19			=pod
20
21
22			=head2 howto setup apache + mod_ssl
23
24	jonen	1.2	Sebastian Utz S<seut@netfrag.org>
25
26
27			B<last changes>
28
29			Revision 1.2 2003/01/22 18:37:22 jonen
30			+ added docu and references
31
32	jonen	1.1
33			=head3 Description
34
35	jonen	1.2	Example on how to install and configure Apache with mod_ssl
36	jonen	1.1
37
38			=head4 install (debian)
39
40			=over
41
42			=item Apache
43
44			- apt-get install apache apache-common
45
46			=item mod_ssl
47
48			- apt-get install libapache-mod-ssl
49
50			=back
51
52
53			=head4 make certificate
54
55			- run:
56			/usr/lib/apache/mkcert.sh
57
58
59
60			=head4 configure httpd.conf
61
62			(default Debian path: /etc/apache/httpd.conf)
63
64
65			=head5 basic:
66
67			LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
68
69			<IfDefine SSL>
70			Listen 80
71			Listen 443
72
73			SSLMutex file:/var/log/apache/ssl_mutex
74			SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
75			SSLRandomSeed startup builtin
76
77			SSLLog /var/log/apache/ssl.log
78			SSLLogLevel warn
79
80			<VirtualHost _default_:443>
81			SSLEngine on
82			SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
83			SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
84			SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
85			SSLVerifyClient none
86			</VirtualHost>
87			</IfDefine>
88
89
90			=head5 optional:
91
92			example VirtualHost entry:
93
94			<VirtualHost your.domain.com:443>
95			SSLEngine On
96			SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
97			SSLCertificateKeyFile conf/ssl.key/server.key
98			SSLCertificateFile conf/ssl.crt/server.crt
99			ServerName your.domain.com
100			ServerAlias domain.com
101			DocumentRoot /var/lib/www/domain.com
102			CustomLog /var/log/apache/access_log.your.domain.com combined
103			ErrorLog /var/log/apache/error_log.your.domain.com
104			SetEnvIf User-Agent ".MSIE." \
105			nokeepalive ssl-unclean-shutdown \
106			downgrade-1.0 force-response-1.0
107			<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
108			SSLOptions +StdEnvVars
109			</Files>
110			</VirtualHost>
111
112
113
114			=head4 gets SSLPassPhrase by file instead of prompt for
115
116			Every start of apache require to enter the password for the above generated SSL key.
117			This can be annoying if you plan some automatic restart of apache.
118			There is a way to automatically give the password to apache with the option:
119
120			SSLPassPhraseDialog exec:/path/to/your_password_programm
121
122			But it's upt to you to write the password programm, be careful!!
123			Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
124			Easiest way would be e.g.
125
126			#-----------your_password_programm ---------
127			#!/bin/sh
128			echo <your passphrase>
129			#------------------ end snip ----------------------
130
131			chmod 700 /path/to/your_password_programm
132			chown www-data.www-data /path/to/your_password_programm
133
134
135			But again, this would be very unsecure!!!
136
137
138
139
140			=head4 modify apache init script to start with ssl
141
142			('apachectl startssl' won't works at debian/testing for some reason....)
143
144
145			- edit /etc/init.d/apache:
146
147			replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
148
149			with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
150
151			in the WHOLE script!
152
153
154
155			=head4 finally start apache..
156
157			- run
158			/etc/init.d/apache start
159
160			and you are in business... ;)
161
162
163			=head4 Relative HTTP/HTTPS switching
164
165			Switch from HTTP to HTTPS and vice versa by using only relative URLs
166			Benefit: Absolute URLs are avioded and this way the website is more flexible
167
168			#-------- sample httpd.conf snip -------------------------
169			RewriteEngine on
170			RewriteCond %{HTTPS} =on
171			RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
172			RewriteCond %{HTTPS} !=on
173			RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
174			RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
175			#------------- end snip -------------------------------------
176
177			#-------- sample page.html snip -------------------------
178			<a href="page.html:scheme=toggle">
179			<a href="page.html:scheme=https">
180			<a href="page.html:scheme=http">
181			#------------- end snip -------------------------------------
182
183
184
185			=head3 Resources (read for further configurations):
186
187			=over
188
189			=item Security Solutions with SSL
190
191			http://www.modssl.org/docs/apachecon2001/
192
193			=item Apache.org
194
195			http://www.apache.org
196
197			=item modssl.org
198
199			http://www.modssl.org
200
201
202			=item Das SSL-Apache Handbuch
203
204			http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
205
206			=back
207
208
209			=head3 ToDo
210
211			o explain installation from source
212			o check out more config variations
213			o check out more rewrite rules
214			o read more docu
215			o write more docu ;)
216
217
218
219
220			=cut
221
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26