sysadmin/linux/howto-setup-apache_mod-ssl.pod

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
#
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################

=pod


=head2    howto setup apache + mod_ssl


=head3 Description

  Example on how to install and configure Apache with mod_ssl


=head4  install (debian)

=over

=item  Apache

  - apt-get install apache apache-common 

=item mod_ssl

  - apt-get install libapache-mod-ssl

=back


=head4  make certificate

  - run:
  /usr/lib/apache/mkcert.sh


=head4  configure httpd.conf  

   (default Debian path: /etc/apache/httpd.conf)


=head5 basic:

  LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

  <IfDefine SSL>
    Listen 80
    Listen 443

    SSLMutex file:/var/log/apache/ssl_mutex
    SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
    SSLRandomSeed startup builtin

    SSLLog /var/log/apache/ssl.log
    SSLLogLevel warn

    <VirtualHost _default_:443>
      SSLEngine                   on
      SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
      SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
      SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
      SSLVerifyClient             none
    </VirtualHost>
  </IfDefine>


=head5 optional:

 example VirtualHost entry:
 
  <VirtualHost your.domain.com:443>
    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateFile conf/ssl.crt/server.crt
    ServerName your.domain.com
    ServerAlias domain.com
    DocumentRoot /var/lib/www/domain.com
    CustomLog /var/log/apache/access_log.your.domain.com combined
    ErrorLog /var/log/apache/error_log.your.domain.com
    SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
          SSLOptions +StdEnvVars
    </Files>
  </VirtualHost>


=head4  gets SSLPassPhrase by file instead of prompt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


=head4  modify apache init script to start with ssl 

    ('apachectl startssl' won't works at debian/testing for some reason....)


  - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!

    
=head4  finally start apache..

  - run 
  /etc/init.d/apache start
  
  and you are in business... ;)


=head4  Relative HTTP/HTTPS switching

  Switch from HTTP to HTTPS and vice versa by using only relative URLs
  Benefit: Absolute URLs are avioded and this way the website is more flexible

  #-------- sample httpd.conf snip -------------------------
  RewriteEngine        on
  RewriteCond          %{HTTPS} =on
  RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
  RewriteCond          %{HTTPS} !=on
  RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
  RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
  #------------- end snip -------------------------------------

  #-------- sample page.html snip -------------------------
  <a href="page.html:scheme=toggle">
  <a href="page.html:scheme=https">
  <a href="page.html:scheme=http">
  #------------- end snip -------------------------------------


=head3  Resources (read for further configurations):

=over

=item  Security Solutions with SSL

  http://www.modssl.org/docs/apachecon2001/ 

=item  Apache.org

  http://www.apache.org

=item  modssl.org

  http://www.modssl.org


=item  Das SSL-Apache Handbuch

  http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html

=back


=head3  ToDo

  o explain installation from source
  o check out more config variations
  o check out more rewrite rules
  o read more docu
  o write more docu ;)


=head3 Authors

  Sebastian Utz  seut@tunemedia.de


=head3  last changes

  Revision 1.2  2003/01/22 18:37:22  jonen
    + added docu and references

  Revision 1.1  2003/01/22 17:47:49  jonen
    + first init


=cut

1	##################################################
2	# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
3	#
4	##################################################
5	#
6	# $Log: howto-setup-apache_mod-ssl.txt,v $
7	# Revision 1.2 2003/01/22 18:37:22 jonen
8	# + added docu and references
9	#
10	# Revision 1.1 2003/01/22 17:47:49 jonen
11	# + first init
12	#
13	#
14	##################################################
15
16	=pod
17
18
19	=head2 howto setup apache + mod_ssl
20
21
22	=head3 Description
23
24	Example on how to install and configure Apache with mod_ssl
25
26
27	=head4 install (debian)
28
29	=over
30
31	=item Apache
32
33	- apt-get install apache apache-common
34
35	=item mod_ssl
36
37	- apt-get install libapache-mod-ssl
38
39	=back
40
41
42	=head4 make certificate
43
44	- run:
45	/usr/lib/apache/mkcert.sh
46
47
48
49	=head4 configure httpd.conf
50
51	(default Debian path: /etc/apache/httpd.conf)
52
53
54	=head5 basic:
55
56	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
57
58	<IfDefine SSL>
59	Listen 80
60	Listen 443
61
62	SSLMutex file:/var/log/apache/ssl_mutex
63	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
64	SSLRandomSeed startup builtin
65
66	SSLLog /var/log/apache/ssl.log
67	SSLLogLevel warn
68
69	<VirtualHost _default_:443>
70	SSLEngine on
71	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
72	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
73	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
74	SSLVerifyClient none
75	</VirtualHost>
76	</IfDefine>
77
78
79	=head5 optional:
80
81	example VirtualHost entry:
82
83	<VirtualHost your.domain.com:443>
84	SSLEngine On
85	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
86	SSLCertificateKeyFile conf/ssl.key/server.key
87	SSLCertificateFile conf/ssl.crt/server.crt
88	ServerName your.domain.com
89	ServerAlias domain.com
90	DocumentRoot /var/lib/www/domain.com
91	CustomLog /var/log/apache/access_log.your.domain.com combined
92	ErrorLog /var/log/apache/error_log.your.domain.com
93	SetEnvIf User-Agent ".MSIE." \
94	nokeepalive ssl-unclean-shutdown \
95	downgrade-1.0 force-response-1.0
96	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
97	SSLOptions +StdEnvVars
98	</Files>
99	</VirtualHost>
100
101
102
103	=head4 gets SSLPassPhrase by file instead of prompt for
104
105	Every start of apache require to enter the password for the above generated SSL key.
106	This can be annoying if you plan some automatic restart of apache.
107	There is a way to automatically give the password to apache with the option:
108
109	SSLPassPhraseDialog exec:/path/to/your_password_programm
110
111	But it's upt to you to write the password programm, be careful!!
112	Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
113	Easiest way would be e.g.
114
115	#-----------your_password_programm ---------
116	#!/bin/sh
117	echo <your passphrase>
118	#------------------ end snip ----------------------
119
120	chmod 700 /path/to/your_password_programm
121	chown www-data.www-data /path/to/your_password_programm
122
123
124	But again, this would be very unsecure!!!
125
126
127
128
129	=head4 modify apache init script to start with ssl
130
131	('apachectl startssl' won't works at debian/testing for some reason....)
132
133
134	- edit /etc/init.d/apache:
135
136	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
137
138	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
139
140	in the WHOLE script!
141
142
143
144	=head4 finally start apache..
145
146	- run
147	/etc/init.d/apache start
148
149	and you are in business... ;)
150
151
152	=head4 Relative HTTP/HTTPS switching
153
154	Switch from HTTP to HTTPS and vice versa by using only relative URLs
155	Benefit: Absolute URLs are avioded and this way the website is more flexible
156
157	#-------- sample httpd.conf snip -------------------------
158	RewriteEngine on
159	RewriteCond %{HTTPS} =on
160	RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
161	RewriteCond %{HTTPS} !=on
162	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
163	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
164	#------------- end snip -------------------------------------
165
166	#-------- sample page.html snip -------------------------
167	<a href="page.html:scheme=toggle">
168	<a href="page.html:scheme=https">
169	<a href="page.html:scheme=http">
170	#------------- end snip -------------------------------------
171
172
173
174	=head3 Resources (read for further configurations):
175
176	=over
177
178	=item Security Solutions with SSL
179
180	http://www.modssl.org/docs/apachecon2001/
181
182	=item Apache.org
183
184	http://www.apache.org
185
186	=item modssl.org
187
188	http://www.modssl.org
189
190
191	=item Das SSL-Apache Handbuch
192
193	http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
194
195	=back
196
197
198	=head3 ToDo
199
200	o explain installation from source
201	o check out more config variations
202	o check out more rewrite rules
203	o read more docu
204	o write more docu ;)
205
206
207	=head3 Authors
208
209	Sebastian Utz seut@tunemedia.de
210
211
212	=head3 last changes
213
214	Revision 1.2 2003/01/22 18:37:22 jonen
215	+ added docu and references
216
217	Revision 1.1 2003/01/22 17:47:49 jonen
218	+ first init
219
220
221	=cut
222
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26