Configuring SSL for Apache 1.3
From Section6wiki
Contents |
Configuring SSL for Apache 1.3
SSL provides strong cryptography for the Apache webserver. This will allow us to run services within our Apache webserver that can require authentication without passing cleartext usernames and passwords out on the network. This article will cover a basic setup and configuration of OpenSSL. Though this article will use Debian Sarge GNU/Linux with Apache 1.3, the concepts will work with most GNU/Linux distributions.. depending on the pacjages available for your distributuion. The distribution(s) of choice here at Section6 happen to be
Installing Apache 1.3
This is a pretty straightforward process in Debian. If you are used to the package management system that Debian uses, then simply run:
root@host# apt-get install apache
This will install the Apache webserver and its common dependencies.
Afterinstallation we should have a working webserver with its HTML documents existing in /var/www and the configuration files existing in /etc/apache
We can now move on to installing the SSL components.
Installing SSL
For SSL we will need a couple of packages and their dependencies. libapache-mod-ssl is an Apache webserver module that uses SSL generated keys and certificates. The certificates and keys it uses are generated by another packeage simply called openssl. We need to install these packeages and their dependencies by running the following command:
root@host# apt-get install openssl libapache-mod-ssl
Afterwards we will start setting up our SSL key for the webserver to use.
SSL keys and certificates
A publically accessible website that uses SSL services usually uses a public Certificate Authority. This Certificate Authority will verify whether or not they key being haded out to a client is in fact valid. Most web browsers come with a list of well-known Certificate Authorities that can perform verification for well known sites such as Ebay or Yahoo.. etc. Using these public Certificate Authorities to verify keys costs money. So instead of using their services, for our example.. we will perform our own "Signing Request" for our certificates. If this sounds a little confusing.. don't worry, the following commands just get you through this just fine.
Creating the Key
We first need to generate a Private Key for our SSL service to use for encryption. We need to create a directory where we want to keep this key:
root@host# mkdir /ssl-keys root@host# cd /ssl-keys
We have now created the directory and changed to that directory so that we can generate the Private Key:
root@host# openssl genrsa -out www.website.com.key 1024
We need to make sure at this point that we replace www.website.com with the actual name of the site we are attempting to make SSL-enabled. Also.. start by not using a passphrase. When we run the command.. it will prompt use for a passphrase and we do not want Apache hanging on startup while it waits for us to enter a passphrase. Later on we can generate keys with passphrases and configure Apache to use them, but for now.. leave the passphrase blank.
Afterwards we should have a file in our /ssl-keys directory called www.website.com.key (or whatever you decided to call the key file name).
Creating the Certificate Signing Request=
We now have to create the certificate signing request. As discusses earlier, we would usually use a public Certificate Authority who would generate a certificate signing request from our key we made. At this point we are just making a "test" SSL enabled webserver so there is no point in shelling out money for a properly signed certificate. Regardless, we still have to create the signing request from our key:
root@host# openssl req -new -key www.website.com.key -out www.website.com.csr
We will be asked a number of questions about the certificate. This process is quite painless but it is important that we give valid information if we are intending to use this certificate to run a real server. The one bit of information that is really improtant is the CN or common name. This MUST match your domain name exactly or the browser will complain every time about the certificate it receives.
Once we have answered all the questions, we should now have a certificate signing request called www.website.com.csr. It's worth pointing out that in a live scenario with a certicate signing request generated by a public Certificate Authority, we would want to make a back-up copy of our key file and certificate signing request. If we loose them then we would have to get a new request generated from a key, which costs money.
Self-signing the Certificate
We now have to take the signing request, and self-sign it in order to generate a certificate the will be used by the clients:
root@host# openssl x509 -in www.website.com.csr -out www.website.com.crt -req -signkey www.website.com.key -days 365
This command should be run all on one line. After it is run.. the output should generate a file called www.website.com.crt. This will be our self-signed certificate.
Configuring Apache to use mod-ssl
Now we need to make sure our webserver is using the apache mod-ssl library. We need to edit the /etc/apache/modules.conf file and put in the following entry:
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
Of course we would want to make sure this module actually exists in this path. If you followed the instructions above, and are using Apache 1.3, then you should be fine.
Next we want to make sure our module doesnt cause any Apache errors. We now need to restart Apache and see if it spits out any errors.
root@host# /etc/init.d/apache stop Stopping web server: apache.
root@host# /etc/init.d/apache start Starting web server: apache.
This looks good. Its time to configure our website to use SSL and our generated SSL key and certificates.
Configuring individual websites
There are a couple of different approaches to configuring our site to use SSL. Main server configuration and Virtual Host Configuration.
Main Server Configuration
One method involves configuring the web server as a whole to use SSL. This means that we are only planning on running one website and we want it to use SSL. If that is the case, then we can simply add the following directives to the /etc/apache/httpd.conf file any where under the Main section:
SSLEngine on SSLCertificateFile /ssl-keys/www.website.com.crt SSLCertificateKeyFile /ssl-keys/www.website.com.key
This will turn on the SSL directives for Apache to use. We also want to make sure that the website is listening on the correct port for SSL. In this case.. HTTPS uses port 443, so we would add the Listen directive in the /etc/apache/httpd.conf file:
Listen 80 Listen 443
One Apache is restarted, then it will run with SSL as well as the usual port 80. If you wish for it to only run secured, then simply comment out Listen 80 and restart Apache.
Virtual Host Configuration
Let us assume that we wish to run a default web site that listens on port 80, but we would like to also run a Virtual Site that runs on SSL. We need to configure a Virtual Host directive that points to our web content and uses SSL. The following example defines a Virtual Host at the bottom of the /etc/apache/httpd.conf file:
<VirtualHost ssl.website.com:443>
ServerAdmin webmaster@ssl.website.com
DocumentRoot /path/to/html
ServerName ssl.website.com
ErrorLog /var/log/apache/error.log
CustomLog /var/log/apache/ssl.log combined
SSLEngine on
SSLCertificateFile /ssl-keys/www.website.com.crt
SSLCertificateKeyFile /ssl-keys/www.website.com.key
SSLLog /var/log/apache/website_ssl.log
SSLLogLevel warn
</VirtualHost>
Of course you would want to change the Virtual Host name to reflect the name of your actual website you wish to run with SSL. Also, make sure you are pointing to the correct path for the SSL key and certificate.
From her you should be up and running with Apache 1.3 and SSL.
