sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

# add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

# add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

# example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


# gets SSLPassPhrase by file instead of promt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org

  Das SSL-Apache Handbuch      http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
  
1	##################################################
2	# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
3	#
4	##################################################
5	#
6	# howto configure apache + mod_ssl
7	#
8	# by jonen@netfrag.org
9	##################################################
10	#
11	# $Log: howto-setup-apache_mod-ssl.txt,v $
12	# Revision 1.2 2003/01/22 18:37:22 jonen
13	# + added docu and references
14	#
15	# Revision 1.1 2003/01/22 17:47:49 jonen
16	# + first init
17	#
18	#
19	##################################################
20
21
22	##################################################
23	# install (debian):
24
25	# Apache:
26	- apt-get install apache apache-common
27
28	# mod_ssl
29	- apt-get install libapache-mod-ssl
30
31
32	##################################################
33	# make certificate
34	#
35	- run:
36
37	/usr/lib/apache/mkcert.sh
38
39
40
41	##################################################
42	# configure httpd.conf
43	# (default Debian path: /etc/apache/httpd.conf)
44	#
45
46	#################
47	# Basics:
48
49	# add/uncomment:
50
51	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
52
53	# add:
54
55	<IfDefine SSL>
56	Listen 80
57	Listen 443
58
59	SSLMutex file:/var/log/apache/ssl_mutex
60	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
61	SSLRandomSeed startup builtin
62
63	SSLLog /var/log/apache/ssl.log
64	SSLLogLevel warn
65
66	<VirtualHost _default_:443>
67	SSLEngine on
68	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
69	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
70	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
71	SSLVerifyClient none
72	</VirtualHost>
73	</IfDefine>
74
75
76	#################
77	# Optional:
78
79	# example VirtualHost entry:
80
81	<VirtualHost your.domain.com:443>
82	SSLEngine On
83	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
84	SSLCertificateKeyFile conf/ssl.key/server.key
85	SSLCertificateFile conf/ssl.crt/server.crt
86	ServerName your.domain.com
87	ServerAlias domain.com
88	DocumentRoot /var/lib/www/domain.com
89	CustomLog /var/log/apache/access_log.your.domain.com combined
90	ErrorLog /var/log/apache/error_log.your.domain.com
91	SetEnvIf User-Agent ".MSIE." \
92	nokeepalive ssl-unclean-shutdown \
93	downgrade-1.0 force-response-1.0
94	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
95	SSLOptions +StdEnvVars
96	</Files>
97	</VirtualHost>
98
99
100	# gets SSLPassPhrase by file instead of promt for
101
102	Every start of apache require to enter the password for the above generated SSL key.
103	This can be annoying if you plan some automatic restart of apache.
104	There is a way to automatically give the password to apache with the option:
105
106	SSLPassPhraseDialog exec:/path/to/your_password_programm
107
108	But it's upt to you to write the password programm, be careful!!
109	Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
110	Easiest way would be e.g.
111
112	#-----------your_password_programm ---------
113	#!/bin/sh
114	echo <your passphrase>
115	#------------------ end snip ----------------------
116
117	chmod 700 /path/to/your_password_programm
118	chown www-data.www-data /path/to/your_password_programm
119
120
121	But again, this would be very unsecure!!!
122
123
124
125
126	##################################################
127	# modify apache init script to start with ssl
128	# ('apachectl startssl' won't works at debian/testing for some reason....)
129	#
130
131	- edit /etc/init.d/apache:
132
133	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
134
135	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
136
137	in the WHOLE script!
138
139
140	##################################################
141	# final start apache..
142	- run
143	/etc/init.d/apache start
144
145	and you are in business... ;)
146
147
148	##################################################
149	# Relative HTTP/HTTPS switching
150	#
151	Switch from HTTP to HTTPS and vice versa by using only relative URLs
152	Benefit: Absolute URLs are avioded and this way the website is more flexible
153
154	#-------- sample httpd.conf snip -------------------------
155	RewriteEngine on
156	RewriteCond %{HTTPS} =on
157	RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
158	RewriteCond %{HTTPS} !=on
159	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
160	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
161	#------------- end snip -------------------------------------
162
163	#-------- sample page.html snip -------------------------
164	<a href="page.html:scheme=toggle">
165	<a href="page.html:scheme=https">
166	<a href="page.html:scheme=http">
167	#------------- end snip -------------------------------------
168
169
170	##################################################
171	# Resources (read for further configurations):
172	#
173
174	Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
175
176	Apache.org http://www.apache.org
177
178	modssl.org http://www.modssl.org
179
180	Das SSL-Apache Handbuch http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
181
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26