sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id: howto-setup-apache_mod-ssl.txt,v 1.1 2003/01/22 17:47:49 jonen Exp $
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log: howto-setup-apache_mod-ssl.txt,v $
# Revision 1.1  2003/01/22 17:47:49  jonen
# + first init
#
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

# add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

# add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

# example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


# gets SSLPassPhrase by file instead of promt for

  Every start of apache require to enter the password for the above generated SSL key.
  This can be annoying if you plan some automatic restart of apache.
  There is a way to automatically give the password to apache with the option:

    SSLPassPhraseDialog exec:/path/to/your_password_programm

  But it's upt to you to write the password programm, be careful!!
  Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
  Easiest way would be e.g.
  
  #-----------your_password_programm ---------
  #!/bin/sh
  echo <your passphrase>
  #------------------ end snip ----------------------

  chmod 700 /path/to/your_password_programm
  chown www-data.www-data /path/to/your_password_programm
  

  But again, this would be very unsecure!!!


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org

  Das SSL-Apache Handbuch      http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
  
1	##################################################
2	# $Id: howto-setup-apache_mod-ssl.txt,v 1.1 2003/01/22 17:47:49 jonen Exp $
3	#
4	##################################################
5	#
6	# howto configure apache + mod_ssl
7	#
8	# by jonen@netfrag.org
9	##################################################
10	#
11	# $Log: howto-setup-apache_mod-ssl.txt,v $
12	# Revision 1.1 2003/01/22 17:47:49 jonen
13	# + first init
14	#
15	#
16	##################################################
17
18
19	##################################################
20	# install (debian):
21
22	# Apache:
23	- apt-get install apache apache-common
24
25	# mod_ssl
26	- apt-get install libapache-mod-ssl
27
28
29	##################################################
30	# make certificate
31	#
32	- run:
33
34	/usr/lib/apache/mkcert.sh
35
36
37
38	##################################################
39	# configure httpd.conf
40	# (default Debian path: /etc/apache/httpd.conf)
41	#
42
43	#################
44	# Basics:
45
46	# add/uncomment:
47
48	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
49
50	# add:
51
52	<IfDefine SSL>
53	Listen 80
54	Listen 443
55
56	SSLMutex file:/var/log/apache/ssl_mutex
57	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
58	SSLRandomSeed startup builtin
59
60	SSLLog /var/log/apache/ssl.log
61	SSLLogLevel warn
62
63	<VirtualHost _default_:443>
64	SSLEngine on
65	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
66	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
67	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
68	SSLVerifyClient none
69	</VirtualHost>
70	</IfDefine>
71
72
73	#################
74	# Optional:
75
76	# example VirtualHost entry:
77
78	<VirtualHost your.domain.com:443>
79	SSLEngine On
80	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
81	SSLCertificateKeyFile conf/ssl.key/server.key
82	SSLCertificateFile conf/ssl.crt/server.crt
83	ServerName your.domain.com
84	ServerAlias domain.com
85	DocumentRoot /var/lib/www/domain.com
86	CustomLog /var/log/apache/access_log.your.domain.com combined
87	ErrorLog /var/log/apache/error_log.your.domain.com
88	SetEnvIf User-Agent ".MSIE." \
89	nokeepalive ssl-unclean-shutdown \
90	downgrade-1.0 force-response-1.0
91	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
92	SSLOptions +StdEnvVars
93	</Files>
94	</VirtualHost>
95
96
97	# gets SSLPassPhrase by file instead of promt for
98
99	Every start of apache require to enter the password for the above generated SSL key.
100	This can be annoying if you plan some automatic restart of apache.
101	There is a way to automatically give the password to apache with the option:
102
103	SSLPassPhraseDialog exec:/path/to/your_password_programm
104
105	But it's upt to you to write the password programm, be careful!!
106	Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!
107	Easiest way would be e.g.
108
109	#-----------your_password_programm ---------
110	#!/bin/sh
111	echo <your passphrase>
112	#------------------ end snip ----------------------
113
114	chmod 700 /path/to/your_password_programm
115	chown www-data.www-data /path/to/your_password_programm
116
117
118	But again, this would be very unsecure!!!
119
120
121
122
123	##################################################
124	# modify apache init script to start with ssl
125	# ('apachectl startssl' won't works at debian/testing for some reason....)
126	#
127
128	- edit /etc/init.d/apache:
129
130	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
131
132	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
133
134	in the WHOLE script!
135
136
137	##################################################
138	# final start apache..
139	- run
140	/etc/init.d/apache start
141
142	and you are in business... ;)
143
144
145	##################################################
146	# Relative HTTP/HTTPS switching
147	#
148	Switch from HTTP to HTTPS and vice versa by using only relative URLs
149	Benefit: Absolute URLs are avioded and this way the website is more flexible
150
151	#-------- sample httpd.conf snip -------------------------
152	RewriteEngine on
153	RewriteCond %{HTTPS} =on
154	RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
155	RewriteCond %{HTTPS} !=on
156	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
157	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
158	#------------- end snip -------------------------------------
159
160	#-------- sample page.html snip -------------------------
161	<a href="page.html:scheme=toggle">
162	<a href="page.html:scheme=https">
163	<a href="page.html:scheme=http">
164	#------------- end snip -------------------------------------
165
166
167	##################################################
168	# Resources (read for further configurations):
169	#
170
171	Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
172
173	Apache.org http://www.apache.org
174
175	modssl.org http://www.modssl.org
176
177	Das SSL-Apache Handbuch http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
178
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26