|
howto setup apache + mod_ssl |
Sebastian Utz
last changes
Revision 1.2 2003/01/22 18:37:22 jonen
+ added docu and references
Example on how to install and configure Apache with mod_ssl
- apt-get install apache apache-common
- apt-get install libapache-mod-ssl
- run: /usr/lib/apache/mkcert.sh
(default Debian path: /etc/apache/httpd.conf)
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
<IfDefine SSL>
Listen 80
Listen 443
SSLMutex file:/var/log/apache/ssl_mutex
SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
SSLRandomSeed startup builtin
SSLLog /var/log/apache/ssl.log
SSLLogLevel warn
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
SSLVerifyClient none
</VirtualHost>
</IfDefine>
example VirtualHost entry:
<VirtualHost your.domain.com:443>
SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
SSLCertificateKeyFile conf/ssl.key/server.key
SSLCertificateFile conf/ssl.crt/server.crt
ServerName your.domain.com
ServerAlias domain.com
DocumentRoot /var/lib/www/domain.com
CustomLog /var/log/apache/access_log.your.domain.com combined
ErrorLog /var/log/apache/error_log.your.domain.com
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
SSLOptions +StdEnvVars
</Files>
</VirtualHost>
Every start of apache require to enter the password for the above generated SSL key. This can be annoying if you plan some automatic restart of apache. There is a way to automatically give the password to apache with the option:
SSLPassPhraseDialog exec:/path/to/your_password_programm
But it's upt to you to write the password programm, be careful!! Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!! Easiest way would be e.g.
#-----------your_password_programm --------- #!/bin/sh echo <your passphrase> #------------------ end snip ----------------------
chmod 700 /path/to/your_password_programm chown www-data.www-data /path/to/your_password_programm
But again, this would be very unsecure!!!
('apachectl startssl' won't works at debian/testing for some reason....)
- edit /etc/init.d/apache:
replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
in the WHOLE script!
- run /etc/init.d/apache start
and you are in business... ;)
Switch from HTTP to HTTPS and vice versa by using only relative URLs Benefit: Absolute URLs are avioded and this way the website is more flexible
#-------- sample httpd.conf snip -------------------------
RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):scheme=(http|https)$ $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------
#-------- sample page.html snip ------------------------- <a href="page.html:scheme=toggle"> <a href="page.html:scheme=https"> <a href="page.html:scheme=http"> #------------- end snip -------------------------------------
http://www.modssl.org/docs/apachecon2001/
http://www.apache.org
http://www.modssl.org
http://www.dfn-pca.de/certify/ssl/handbuch/sslapache1_3/ssla13.html
o explain installation from source o check out more config variations o check out more rewrite rules o read more docu o write more docu ;)
|
howto setup apache + mod_ssl |