Using apache and OpenSSL you can create your own secure web server to keep authentication and other information private from prying eyes.
Having
a secure web server is a vital necessity if you are doing on-line
administration, banking and/or e-commerce. You may just have personal
information you need to access over the web and wish to make secure.
Using a secure web server is perfect for these implementations.
Using Apache, mod-ssl
and OpenSSL we can create
a secure server quickly and easily. We also no longer have to worry in
the U.S. about the RSA encryption. Prior to Sept. 6, 2000 the RSA
algorithm
was fully patended by RSA. The patent officially expires on September
20,
2000, but RSA lifted the patent a little earlier. Because of this we no
longer need to use the RSAREF package, which is still under license from
RSA.
The first task in setting up our secure server will be to retreive
the
software required to do it. We will need three vital packages, Apache,
OpenSSL and mod-ssl.
You must have the following packages installed:
RPMs and Debian packages most certainly also exist. See your favorite
mirror
site for pre-built packages. Instead of using mod-ssl you also have the
option to use Apache-SSL. This
document will instead focus on using mod-ssl instead. Mod_SSL was
derived from Apache-SSL originally. The code has been completely
rewritten since then. Mod_SSL has been known to run faster and be
easier to configure than Apache-SSL.
Compile and Install OpenSSL First
Assuming you have perl and a working compiler installed,
decompress
the three packages. Compile OpenSSL first (this takes a while):
$ ./config
$ make
$ make test
$ make install
Once this is all done compile mod-ssl:
Note: 'ALL' means you MUST have the option and
'optional' is optional.
$ cd
mod_ssl-2.6.x-1.3.x ALL
$ ./configure \ ALL
--with-apache=../apache_1.3.x \ ALL
--with-ssl=../openssl-0.9.x \ ALL
--with-mm=../mm-1.1.x \ OPTIONAL
--with-crt=/path/to/your/server.crt \ OPTIONAL
--with-key=/path/to/your/server.key \ OPTIONAL
--prefix=/path/to/apache \ ALL
[--enable-shared=ssl] \ OPTIONAL
[--disable-rule=SSL_COMPAT] \ OPTIONAL
[--enable-rule=SSL_SDBM] \ OPTIONAL
[--enable-rule=SSL_EXPERIMENTAL] \ OPTIONAL
[--enable-rule=SSL_VENDOR] \ OPTIONAL
[...more APACHE options...] OPTIONAL
$ cd ../apache_1.3.x
$ make
$ make certificate
$ make install
For more information on compiling mod-ssl directly into Apache
read the mod-ssl INSTALL and README files included
with
the package. They will provide you with the steps necessary to do this.
Configure httpd.conf for SSL Support
After Apache mod-ssl is installed, you can configure your
httpd.conf
like you would for a normal site. You will, however, have to setup your
SSL secure site through a VirtualHost. You will access with
https://my.site.com
instead of http://my.site.com.
There are many configuration options and requirements for a
VirtualHost in Apache. Since there is too much to talk about
here I will only give you an example of a basic VirtualHost. A
VirtualHost contains the server name, system administrators
e-mail address, the path to the files and a path to the logs for the
host. It turns out looking something like this:
ServerAdmin admin@mysite.com
DocumentRoot /home/httpd/mysite/
ErrorLog /var/log/httpd/mysite-errors_log
TransferLog /var/log/httpd/mysite-transfers_log
To add SSL support to your VirtualHost you must enable it and
tell it where you have your certificate and key to decrypt it with. Add
these lines before the '' tag:
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
These are basic SSL options for VirtualHosts. There are many more
than can be listed in this short document. When you install mod_SSL
into Apache the new httpd.conf will have examples and
descriptions of VirtualHosts and SSL options. You can also find
numerous documents at www.apache.org
and www.modssl.org.
Once configured, you are all set to start up the server. Start Apache
in SSL mode by typing the following:
[root@myhost #] /usr/sbin/httpd -startssl
read RSA key
Enter PEM pass phrase:
Notice it asks you for a password. It will require a password to
decrypt
your key for the SSL encryption. This could prevent apache from working
on startup. Here is a way around it, but it can be a security hazard.
Go to where your stored httpd.conf and in the
ssl.key directory you
should see server.key. This contains your encrypted key. What
we are going to do here is decrypt the key permently. The upside is you
won't have to enter a password anymore. The security risk is that if the
key is compromissed someone can possibly decrypt the information you
send across your once secure connection.
Before you decrypt the key make a backup first:
[root@myhost #] cp /path/to/apache-conf/ssl.key/server.key server.key.old
Now, using OpenSSL, decrypt the key:
[root@myhost #] /usr/sbin/openssl rsa -in server.key.old -out server.key
read RSA key
Enter PEM pass phrase:
It will prompt you for your password and decrypt your key.
server.key
now contains an unencrypted key. You must still start apache with
httpd --startssl or the start-up file included with your RPM or dpkg.
Resources
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
