sysadmin/linux/howto-setup-apache_mod-ssl.pod

##################################################
# $Id: howto-setup-apache_mod-ssl.pod,v 1.1 2003/01/25 08:43:21 jonen Exp $
#
##################################################
#
# $Log: howto-setup-apache_mod-ssl.pod,v $
# Revision 1.1  2003/01/25 08:43:21  jonen
# + moved/convert to perlpod format
#
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################

=pod


=head2    howto setup apache + mod_ssl

Sebastian Utz    S<seut@netfrag.org>


B<last changes>

  Revision 1.2  2003/01/22 18:37:22  jonen
    + added docu and references


=head3 Description

Example on how to install and configure Apache with mod_ssl


=head4  install (debian)

=over

=item  Apache

  - apt-get install apache apache-common 

=item mod_ssl

  - apt-get install libapache-mod-ssl

=back


=head4  make certificate

  - run:
  /usr/lib/apache/mkcert.sh


=head4  configure httpd.conf  

   (default Debian path: /etc/apache/httpd.conf)


=head5 basic:

  LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

  <IfDefine SSL>
    Listen 80
    Listen 443

    SSLMutex file:/var/log/apache/ssl_mutex
    SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
    SSLRandomSeed startup builtin

    SSLLog /var/log/apache/ssl.log
    SSLLogLevel warn

    <VirtualHost _default_:443>
      SSLEngine                   on
      SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
      SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
      SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
      SSLVerifyClient             none
    </VirtualHost>
  </IfDefine>


=head5 optional:

 example VirtualHost entry:
 
  <VirtualHost your.domain.com:443>
    SSLEngine On
    SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateFile conf/ssl.crt/server.crt
    ServerName your.domain.com
    ServerAlias domain.com
    DocumentRoot /var/lib/www/domain.com
    CustomLog /var/log/apache/access_log.your.domain.com combined
    ErrorLog /var/log/apache/error_log.your.domain.com
    SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
    <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
          SSLOptions +StdEnvVars
    </Files>
  </VirtualHost>


=head4  gets SSLPassPhrase by file instead of prompt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


=head4  modify apache init script to start with ssl 

    ('apachectl startssl' won't works at debian/testing for some reason....)


  - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!

    
=head4  finally start apache..

  - run 
  /etc/init.d/apache start
  
  and you are in business... ;)


=head4  Relative HTTP/HTTPS switching

  Switch from HTTP to HTTPS and vice versa by using only relative URLs
  Benefit: Absolute URLs are avioded and this way the website is more flexible

  #-------- sample httpd.conf snip -------------------------
  RewriteEngine        on
  RewriteCond          %{HTTPS} =on
  RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
  RewriteCond          %{HTTPS} !=on
  RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
  RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
  #------------- end snip -------------------------------------

  #-------- sample page.html snip -------------------------
  <a href="page.html:scheme=toggle">
  <a href="page.html:scheme=https">
  <a href="page.html:scheme=http">
  #------------- end snip -------------------------------------


=head3  Resources (read for further configurations):

=over

=item  Security Solutions with SSL

  http://www.modssl.org/docs/apachecon2001/ 

=item  Apache.org

  http://www.apache.org

=item  modssl.org

  http://www.modssl.org


=item  Das SSL-Apache Handbuch

  http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html

=back


=head3  ToDo

  o explain installation from source
  o check out more config variations
  o check out more rewrite rules
  o read more docu
  o write more docu ;)


=cut

1	##################################################
2	# $Id: howto-setup-apache_mod-ssl.pod,v 1.1 2003/01/25 08:43:21 jonen Exp $
3	#
4	##################################################
5	#
6	# $Log: howto-setup-apache_mod-ssl.pod,v $
7	# Revision 1.1 2003/01/25 08:43:21 jonen
8	# + moved/convert to perlpod format
9	#
10	# Revision 1.2 2003/01/22 18:37:22 jonen
11	# + added docu and references
12	#
13	# Revision 1.1 2003/01/22 17:47:49 jonen
14	# + first init
15	#
16	#
17	##################################################
18
19	=pod
20
21
22	=head2 howto setup apache + mod_ssl
23
24	Sebastian Utz S<seut@netfrag.org>
25
26
27	B<last changes>
28
29	Revision 1.2 2003/01/22 18:37:22 jonen
30	+ added docu and references
31
32
33	=head3 Description
34
35	Example on how to install and configure Apache with mod_ssl
36
37
38	=head4 install (debian)
39
40	=over
41
42	=item Apache
43
44	- apt-get install apache apache-common
45
46	=item mod_ssl
47
48	- apt-get install libapache-mod-ssl
49
50	=back
51
52
53	=head4 make certificate
54
55	- run:
56	/usr/lib/apache/mkcert.sh
57
58
59
60	=head4 configure httpd.conf
61
62	(default Debian path: /etc/apache/httpd.conf)
63
64
65	=head5 basic:
66
67	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
68
69	<IfDefine SSL>
70	Listen 80
71	Listen 443
72
73	SSLMutex file:/var/log/apache/ssl_mutex
74	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
75	SSLRandomSeed startup builtin
76
77	SSLLog /var/log/apache/ssl.log
78	SSLLogLevel warn
79
80	<VirtualHost _default_:443>
81	SSLEngine on
82	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
83	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
84	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
85	SSLVerifyClient none
86	</VirtualHost>
87	</IfDefine>
88
89
90	=head5 optional:
91
92	example VirtualHost entry:
93
94	<VirtualHost your.domain.com:443>
95	SSLEngine On
96	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
97	SSLCertificateKeyFile conf/ssl.key/server.key
98	SSLCertificateFile conf/ssl.crt/server.crt
99	ServerName your.domain.com
100	ServerAlias domain.com
101	DocumentRoot /var/lib/www/domain.com
102	CustomLog /var/log/apache/access_log.your.domain.com combined
103	ErrorLog /var/log/apache/error_log.your.domain.com
104	SetEnvIf User-Agent ".MSIE." \
105	nokeepalive ssl-unclean-shutdown \
106	downgrade-1.0 force-response-1.0
107	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
108	SSLOptions +StdEnvVars
109	</Files>
110	</VirtualHost>
111
112
113
114	=head4 gets SSLPassPhrase by file instead of prompt for
115
116	Every start of apache require to enter the password for the above generated SSL key.
117	This can be annoying if you plan some automatic restart of apache.
118	There is a way to automatically give the password to apache with the option:
119
120	SSLPassPhraseDialog exec:/path/to/your_password_programm
121
122	But it's upt to you to write the password programm, be careful!!
123	Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
124	Easiest way would be e.g.
125
126	#-----------your_password_programm ---------
127	#!/bin/sh
128	echo <your passphrase>
129	#------------------ end snip ----------------------
130
131	chmod 700 /path/to/your_password_programm
132	chown www-data.www-data /path/to/your_password_programm
133
134
135	But again, this would be very unsecure!!!
136
137
138
139
140	=head4 modify apache init script to start with ssl
141
142	('apachectl startssl' won't works at debian/testing for some reason....)
143
144
145	- edit /etc/init.d/apache:
146
147	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
148
149	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
150
151	in the WHOLE script!
152
153
154
155	=head4 finally start apache..
156
157	- run
158	/etc/init.d/apache start
159
160	and you are in business... ;)
161
162
163	=head4 Relative HTTP/HTTPS switching
164
165	Switch from HTTP to HTTPS and vice versa by using only relative URLs
166	Benefit: Absolute URLs are avioded and this way the website is more flexible
167
168	#-------- sample httpd.conf snip -------------------------
169	RewriteEngine on
170	RewriteCond %{HTTPS} =on
171	RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
172	RewriteCond %{HTTPS} !=on
173	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
174	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
175	#------------- end snip -------------------------------------
176
177	#-------- sample page.html snip -------------------------
178	<a href="page.html:scheme=toggle">
179	<a href="page.html:scheme=https">
180	<a href="page.html:scheme=http">
181	#------------- end snip -------------------------------------
182
183
184
185	=head3 Resources (read for further configurations):
186
187	=over
188
189	=item Security Solutions with SSL
190
191	http://www.modssl.org/docs/apachecon2001/
192
193	=item Apache.org
194
195	http://www.apache.org
196
197	=item modssl.org
198
199	http://www.modssl.org
200
201
202	=item Das SSL-Apache Handbuch
203
204	http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
205
206	=back
207
208
209	=head3 ToDo
210
211	o explain installation from source
212	o check out more config variations
213	o check out more rewrite rules
214	o read more docu
215	o write more docu ;)
216
217
218
219
220	=cut
221
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26