sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.1 2003/01/22 17:47:49 jonen Exp $
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

# add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

# add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

# example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


# gets SSLPassPhrase by file instead of promt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org

  Das SSL-Apache Handbuch      http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
  
1	jonen	1.1	##################################################
2	jonen	1.2	# $Id: howto-setup-apache_mod-ssl.txt,v 1.1 2003/01/22 17:47:49 jonen Exp $
3	jonen	1.1	#
4			##################################################
5			#
6			# howto configure apache + mod_ssl
7			#
8			# by jonen@netfrag.org
9			##################################################
10			#
11	jonen	1.2	# $Log: howto-setup-apache_mod-ssl.txt,v $
12			# Revision 1.1 2003/01/22 17:47:49 jonen
13			# + first init
14			#
15	jonen	1.1	#
16			##################################################
17
18
19			##################################################
20			# install (debian):
21
22			# Apache:
23			- apt-get install apache apache-common
24
25			# mod_ssl
26			- apt-get install libapache-mod-ssl
27
28
29			##################################################
30			# make certificate
31			#
32			- run:
33
34			/usr/lib/apache/mkcert.sh
35
36
37
38			##################################################
39			# configure httpd.conf
40			# (default Debian path: /etc/apache/httpd.conf)
41			#
42
43			#################
44			# Basics:
45
46	jonen	1.2	# add/uncomment:
47	jonen	1.1
48			LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
49
50	jonen	1.2	# add:
51	jonen	1.1
52			<IfDefine SSL>
53			Listen 80
54			Listen 443
55
56			SSLMutex file:/var/log/apache/ssl_mutex
57			SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
58			SSLRandomSeed startup builtin
59
60			SSLLog /var/log/apache/ssl.log
61			SSLLogLevel warn
62
63			<VirtualHost _default_:443>
64			SSLEngine on
65			SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
66			SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
67			SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
68			SSLVerifyClient none
69			</VirtualHost>
70			</IfDefine>
71
72
73			#################
74			# Optional:
75
76	jonen	1.2	# example VirtualHost entry:
77	jonen	1.1
78			<VirtualHost your.domain.com:443>
79			SSLEngine On
80			SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
81			SSLCertificateKeyFile conf/ssl.key/server.key
82			SSLCertificateFile conf/ssl.crt/server.crt
83			ServerName your.domain.com
84			ServerAlias domain.com
85			DocumentRoot /var/lib/www/domain.com
86			CustomLog /var/log/apache/access_log.your.domain.com combined
87			ErrorLog /var/log/apache/error_log.your.domain.com
88			SetEnvIf User-Agent ".MSIE." \
89			nokeepalive ssl-unclean-shutdown \
90			downgrade-1.0 force-response-1.0
91			<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
92			SSLOptions +StdEnvVars
93			</Files>
94			</VirtualHost>
95
96
97	jonen	1.2	# gets SSLPassPhrase by file instead of promt for
98
99			Every start of apache require to enter the password for the above generated SSL key.
100			This can be annoying if you plan some automatic restart of apache.
101			There is a way to automatically give the password to apache with the option:
102
103			SSLPassPhraseDialog exec:/path/to/your_password_programm
104
105			But it's upt to you to write the password programm, be careful!!
106			Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
107			Easiest way would be e.g.
108
109			#-----------your_password_programm ---------
110			#!/bin/sh
111			echo <your passphrase>
112			#------------------ end snip ----------------------
113
114			chmod 700 /path/to/your_password_programm
115			chown www-data.www-data /path/to/your_password_programm
116
117
118			But again, this would be very unsecure!!!
119
120
121
122	jonen	1.1
123			##################################################
124			# modify apache init script to start with ssl
125			# ('apachectl startssl' won't works at debian/testing for some reason....)
126			#
127
128			- edit /etc/init.d/apache:
129
130			replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
131
132			with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
133
134			in the WHOLE script!
135
136
137			##################################################
138			# final start apache..
139			- run
140			/etc/init.d/apache start
141
142			and you are in business... ;)
143
144
145			##################################################
146			# Relative HTTP/HTTPS switching
147			#
148			Switch from HTTP to HTTPS and vice versa by using only relative URLs
149			Benefit: Absolute URLs are avioded and this way the website is more flexible
150
151			#-------- sample httpd.conf snip -------------------------
152			RewriteEngine on
153			RewriteCond %{HTTPS} =on
154			RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
155			RewriteCond %{HTTPS} !=on
156			RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
157			RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
158			#------------- end snip -------------------------------------
159
160			#-------- sample page.html snip -------------------------
161			<a href="page.html:scheme=toggle">
162			<a href="page.html:scheme=https">
163			<a href="page.html:scheme=http">
164			#------------- end snip -------------------------------------
165
166
167			##################################################
168			# Resources (read for further configurations):
169			#
170
171			Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
172
173			Apache.org http://www.apache.org
174
175			modssl.org http://www.modssl.org
176	jonen	1.2
177			Das SSL-Apache Handbuch http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
178	jonen	1.1
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26