sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.2  2003/01/22 18:37:22  jonen
# + added docu and references
#
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

# add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

# add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

# example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


# gets SSLPassPhrase by file instead of promt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org

  Das SSL-Apache Handbuch      http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
  
1	jonen	1.1	##################################################
2	jonen	1.3	# $Id: howto-setup-apache_mod-ssl.txt,v 1.2 2003/01/22 18:37:22 jonen Exp $
3	jonen	1.1	#
4			##################################################
5			#
6			# howto configure apache + mod_ssl
7			#
8			# by jonen@netfrag.org
9			##################################################
10			#
11	jonen	1.2	# $Log: howto-setup-apache_mod-ssl.txt,v $
12	jonen	1.3	# Revision 1.2 2003/01/22 18:37:22 jonen
13			# + added docu and references
14			#
15	jonen	1.2	# Revision 1.1 2003/01/22 17:47:49 jonen
16			# + first init
17			#
18	jonen	1.1	#
19			##################################################
20
21
22			##################################################
23			# install (debian):
24
25			# Apache:
26			- apt-get install apache apache-common
27
28			# mod_ssl
29			- apt-get install libapache-mod-ssl
30
31
32			##################################################
33			# make certificate
34			#
35			- run:
36
37			/usr/lib/apache/mkcert.sh
38
39
40
41			##################################################
42			# configure httpd.conf
43			# (default Debian path: /etc/apache/httpd.conf)
44			#
45
46			#################
47			# Basics:
48
49	jonen	1.2	# add/uncomment:
50	jonen	1.1
51			LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
52
53	jonen	1.2	# add:
54	jonen	1.1
55			<IfDefine SSL>
56			Listen 80
57			Listen 443
58
59			SSLMutex file:/var/log/apache/ssl_mutex
60			SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
61			SSLRandomSeed startup builtin
62
63			SSLLog /var/log/apache/ssl.log
64			SSLLogLevel warn
65
66			<VirtualHost _default_:443>
67			SSLEngine on
68			SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
69			SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
70			SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
71			SSLVerifyClient none
72			</VirtualHost>
73			</IfDefine>
74
75
76			#################
77			# Optional:
78
79	jonen	1.2	# example VirtualHost entry:
80	jonen	1.1
81			<VirtualHost your.domain.com:443>
82			SSLEngine On
83			SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
84			SSLCertificateKeyFile conf/ssl.key/server.key
85			SSLCertificateFile conf/ssl.crt/server.crt
86			ServerName your.domain.com
87			ServerAlias domain.com
88			DocumentRoot /var/lib/www/domain.com
89			CustomLog /var/log/apache/access_log.your.domain.com combined
90			ErrorLog /var/log/apache/error_log.your.domain.com
91			SetEnvIf User-Agent ".MSIE." \
92			nokeepalive ssl-unclean-shutdown \
93			downgrade-1.0 force-response-1.0
94			<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
95			SSLOptions +StdEnvVars
96			</Files>
97			</VirtualHost>
98
99
100	jonen	1.2	# gets SSLPassPhrase by file instead of promt for
101
102			Every start of apache require to enter the password for the above generated SSL key.
103			This can be annoying if you plan some automatic restart of apache.
104			There is a way to automatically give the password to apache with the option:
105
106			SSLPassPhraseDialog exec:/path/to/your_password_programm
107
108			But it's upt to you to write the password programm, be careful!!
109			Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
110			Easiest way would be e.g.
111
112			#-----------your_password_programm ---------
113			#!/bin/sh
114			echo <your passphrase>
115			#------------------ end snip ----------------------
116
117			chmod 700 /path/to/your_password_programm
118			chown www-data.www-data /path/to/your_password_programm
119
120
121			But again, this would be very unsecure!!!
122
123
124
125	jonen	1.1
126			##################################################
127			# modify apache init script to start with ssl
128			# ('apachectl startssl' won't works at debian/testing for some reason....)
129			#
130
131			- edit /etc/init.d/apache:
132
133			replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
134
135			with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
136
137			in the WHOLE script!
138
139
140			##################################################
141			# final start apache..
142			- run
143			/etc/init.d/apache start
144
145			and you are in business... ;)
146
147
148			##################################################
149			# Relative HTTP/HTTPS switching
150			#
151			Switch from HTTP to HTTPS and vice versa by using only relative URLs
152			Benefit: Absolute URLs are avioded and this way the website is more flexible
153
154			#-------- sample httpd.conf snip -------------------------
155			RewriteEngine on
156			RewriteCond %{HTTPS} =on
157			RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
158			RewriteCond %{HTTPS} !=on
159			RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
160			RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
161			#------------- end snip -------------------------------------
162
163			#-------- sample page.html snip -------------------------
164			<a href="page.html:scheme=toggle">
165			<a href="page.html:scheme=https">
166			<a href="page.html:scheme=http">
167			#------------- end snip -------------------------------------
168
169
170			##################################################
171			# Resources (read for further configurations):
172			#
173
174			Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
175
176			Apache.org http://www.apache.org
177
178			modssl.org http://www.modssl.org
179	jonen	1.2
180			Das SSL-Apache Handbuch http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
181	jonen	1.1
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26