################################################## # $Id: howto-setup-apache_mod-ssl.pod,v 1.2 2003/01/27 09:21:51 jonen Exp $ # ################################################## # # $Log: howto-setup-apache_mod-ssl.pod,v $ # Revision 1.2 2003/01/27 09:21:51 jonen # + updated # # Revision 1.1 2003/01/25 08:43:21 jonen # + moved/convert to perlpod format # # Revision 1.2 2003/01/22 18:37:22 jonen # + added docu and references # # Revision 1.1 2003/01/22 17:47:49 jonen # + first init # # ################################################## =pod =head2 howto setup apache + mod_ssl Sebastian Utz S B Revision 1.2 2003/01/22 18:37:22 jonen + added docu and references =head3 Description Example on how to install and configure Apache with mod_ssl =head4 install (debian) =over =item Apache - apt-get install apache apache-common =item mod_ssl - apt-get install libapache-mod-ssl =back =head4 make certificate - run: /usr/lib/apache/mkcert.sh =head4 configure httpd.conf (default Debian path: /etc/apache/httpd.conf) =head5 basic: LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so Listen 80 Listen 443 SSLMutex file:/var/log/apache/ssl_mutex SSLSessionCache dbm:/var/log/apache/ssl_gcache_data SSLRandomSeed startup builtin SSLLog /var/log/apache/ssl.log SSLLogLevel warn SSLEngine on SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL SSLVerifyClient none =head5 optional: example VirtualHost entry: SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$ SSLCertificateKeyFile conf/ssl.key/server.key SSLCertificateFile conf/ssl.crt/server.crt ServerName your.domain.com ServerAlias domain.com DocumentRoot /var/lib/www/domain.com CustomLog /var/log/apache/access_log.your.domain.com combined ErrorLog /var/log/apache/error_log.your.domain.com SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLOptions +StdEnvVars =head4 gets SSLPassPhrase by file instead of prompt for Every start of apache require to enter the password for the above generated SSL key. This can be annoying if you plan some automatic restart of apache. There is a way to automatically give the password to apache with the option: SSLPassPhraseDialog exec:/path/to/your_password_programm But it's upt to you to write the password programm, be careful!! Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!! Easiest way would be e.g. #-----------your_password_programm --------- #!/bin/sh echo #------------------ end snip ---------------------- chmod 700 /path/to/your_password_programm chown www-data.www-data /path/to/your_password_programm But again, this would be very unsecure!!! =head4 modify apache init script to start with ssl ('apachectl startssl' won't works at debian/testing for some reason....) - edit /etc/init.d/apache: replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL in the WHOLE script! =head4 finally start apache.. - run /etc/init.d/apache start and you are in business... ;) =head4 Relative HTTP/HTTPS switching Switch from HTTP to HTTPS and vice versa by using only relative URLs Benefit: Absolute URLs are avioded and this way the website is more flexible #-------- sample httpd.conf snip ------------------------- RewriteEngine on RewriteCond %{HTTPS} =on RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L] RewriteCond %{HTTPS} !=on RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L] RewriteRule ^/(.*):scheme=(http|https)$ $2://%{SERVER_NAME}/$1 [R,L] #------------- end snip ------------------------------------- #-------- sample page.html snip ------------------------- #------------- end snip ------------------------------------- =head3 Resources (read for further configurations): =over =item Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/ =item Apache.org http://www.apache.org =item modssl.org http://www.modssl.org =item Das SSL-Apache Handbuch http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html =back =head3 ToDo o explain installation from source o check out more config variations o check out more rewrite rules o read more docu o write more docu ;) =cut