| dacarver | 637f2ee | 2008-12-05 16:00:53 +0000 | [diff] [blame] | 1 | <?xml version='1.0'?> |
| 2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.docbook.org/xml/4.5/docbookx.dtd"> |
| 3 | <chapter id="SecuringYourApacheServer"> |
| 4 | <title>Securing Your Apache Server with SSL</title> |
| 5 | <para>Test insert of some code.</para> |
| 6 | <section> |
| 7 | <title>Getting Started with SSL on Apache</title> |
| 8 | <para>There are a few key ingredients you will need to use with |
| 9 | Apache to secure your Web server: OpenSSL, mod_ssl, and root access |
| 10 | to the server.</para> |
| 11 | <para>OpenSSL is a command line toolkit for using secure sockets |
| 12 | layer encryption on a server and can be acquired from |
| 13 | <ulink url="http://www.openssl.org">http://www.openssl.org</ulink> |
| 14 | . This tool works with Apache module mod_ssl in carrying out |
| 15 | SSL-related tasks. Any modern Linux/Unix installation will come |
| 16 | with OpenSSL, you will be required to install OpenSSL if your |
| 17 | hosting you Apache sever on Windows. You will need root/admin |
| 18 | privileges to install OpenSSL.</para> |
| 19 | <para>You must also ensure that mod_ssl is available on your |
| 20 | server. To see which modules are active in Apache, issue the |
| 21 | following command in a Terminal as root user on your server.</para> |
| 22 | <screen> |
| 23 | # httpd –l |
| 24 | </screen> |
| 25 | <para>If you have a recent Linux distribution installed, it is |
| 26 | likely Apache’s modules are compiled as dynamic loadable modules, |
| 27 | in which case you’ll need to edit your httpd.conf file and check |
| 28 | that the following line is uncommented.</para> |
| 29 | <screen> |
| 30 | LoadModule ssl_module modules/libmodssl.so |
| 31 | </screen> |
| 32 | <para>Restarting Apache will load the module into action.</para> |
| 33 | <screen> |
| 34 | # service httpd restart |
| 35 | </screen> |
| 36 | <note> |
| 37 | <para>Note that in recent Apache distributions, the httpd.conf |
| 38 | file contains an <emphasis>"IfDefine |
| 39 | HAVE_SSL"</emphasis> section that is intended to contain the |
| 40 | <emphasis>"VirtualHost"</emphasis> definitions for all |
| 41 | your SSL Websites. By placing these definitions within the |
| 42 | <emphasis>"IfDefine"</emphasis> section, you can ensure |
| 43 | that the sites will not be made available unless SSL support is |
| 44 | successfully loaded on the server. This prevents any problems |
| 45 | arising in which lack of SSL could expose your secure site</para> |
| 46 | </note> |
| 47 | </section> |
| 48 | <section> |
| 49 | <title>Create a Local Key Pair</title> |
| 50 | <para>If you have not already done so, your first step should be to |
| 51 | create a local private/public key from which you can generate |
| 52 | certificate requests. These can then be used for self-signed |
| 53 | certificates, or when purchasing a certificate from a CA.</para> |
| 54 | <para>OpenSSL allows us to use the command line to generate keys. |
| 55 | You have the option of using strong encryption and a passphrase to |
| 56 | secure your private key, as shown below.</para> |
| 57 | <screen> |
| 58 | # cd /etc/ssl/apache/ |
| 59 | # openssl genrsa -des3 -out domainname.com.key 2048 |
| 60 | </screen> |
| 61 | <para>Typing the above on the command line will create a private |
| 62 | key using TripleDES encryption, 1024 being the number of bits |
| 63 | generated in the key. There are options for lower encryption |
| 64 | levels, however, these are not recommended for those with servers |
| 65 | that are accessible via the Internet.</para> |
| 66 | <para>The key will be created in the directory you’re in.</para> |
| 67 | <para>Finally, you should modify the permissions to restrict access |
| 68 | to the new key.</para> |
| 69 | <screen> |
| 70 | # cd /etc/ssl/apache/ |
| 71 | # chmod 400 domainname.com.key |
| 72 | # chown root.root domainname.com.key |
| 73 | </screen> |
| 74 | <para>This ensures that only the root user has access to this file, |
| 75 | and still requires the passphrase you may have used to create the |
| 76 | key in order to open.</para> |
| 77 | </section> |
| 78 | <section> |
| 79 | <title>Generating a Certificate Signing Request</title> |
| 80 | <para>To purchase an SSL certificate from a CA, you need first to |
| 81 | generate what is called a Certificate Signing Request (CSR). This |
| 82 | is submitted to the CA of your choice, and is used to create the |
| 83 | official and singed SSL certificate that will be returned to you, |
| 84 | and with which you may secure your Web server.</para> |
| 85 | <screen> |
| 86 | # cd /etc/ssl/apache/ |
| 87 | # openssl req -new -key domainname.com.key -out domainname.com.csr |
| 88 | |
| 89 | </screen> |
| 90 | <para>This command creates the .csr file that is sent or uploaded |
| 91 | to a CA during the process of ordering an SSL certificate.</para> |
| 92 | </section> |
| 93 | <section> |
| 94 | <title>Receiving and Installing Your SSL Certificate</title> |
| 95 | <para>Generally, CAs provide detailed instructions for the |
| 96 | installation of their SSL certificates; however, I’ll cover some |
| 97 | broad points here.</para> |
| 98 | <para>The CA from which you order a certificate will email you |
| 99 | either the certificate, or a link at which you can download it. |
| 100 | Follow the instructions provided precisely—especially with regards |
| 101 | to opening a certificate in a text editor. Do not use a word |
| 102 | processor or rich text editor, as the certificate code can become |
| 103 | corrupted. You should also take care to ensure that no leading or |
| 104 | trailing spaces follow the beginning and end of the certificate |
| 105 | code in <xref linkend="examp_Emailed_Certificate"/> .</para> |
| 106 | <example id="examp_Emailed_Certificate"> |
| 107 | <title>Sample Emailed Certificate</title> |
| 108 | <programlisting> |
| 109 | -----BEGIN CERTIFICATE----- |
| 110 | MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMCVVMx |
| 111 | ETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEYMBYGA1UE |
| 112 | ChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRhcmlvMR0wGwYDVQQDExRv |
| 113 | bnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJARYaYmlsbGZAb250YXJp |
| 114 | by5qcml3b3JsZC5jb20wHhcNMDUwNDA3MjI0MTU3WhcNMDYwNDA3MjI0MTU3WjCB |
| 115 | rDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJp |
| 116 | bmdmaWxlZDEYMBYGA1UEChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRh |
| 117 | cmlvMR0wGwYDVQQDExRPbnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJ |
| 118 | ARYaYmlsbGZAb250YXJpby5qcml3b3JsZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD |
| 119 | gY0AMIGJAoGBAM81vIgjw0DWAfReVKthdvwe4YP4Z29UU2QZKx/cTt7pJYnW2vnD |
| 120 | pieGoIyiWr5qW+rmtEFRe1yqarZxU0oGyz2w/1ZlOrhU6vBvsa4JOY6DndSixiRq |
| 121 | jVpzspNk9iJUA5AcjKQVC7SCgDHeySLyHm/zzNKOlATRge3HMgge/qzbAgMBAAEw |
| 122 | DQYJKoZIhvcNAQEEBQADgYEAS6MTN6SWlXu24JhNBPjYpwNs/h0HJ+s4uZnQAq49 |
| 123 | pPoRm8omMFx4ilEwuihIUnH0Q9rG6hViiThq6pxRj3gkY8UJ5UaKuXr9yLcfNGf5 |
| 124 | r6iaPTHeiauHVqXeBfY+ZWTWlIl9FNePo8Sc9eYI8s/KuR+dn97iYmTAHC8kOzlY |
| 125 | gGg= |
| 126 | -----END CERTIFICATE----- |
| 127 | </programlisting> |
| 128 | </example> |
| 129 | <para>The signed certificate returned by the CA should be written |
| 130 | to domainname.com.crt in the /etc/ssl/apache directory.</para> |
| 131 | <para>Configuring Apache to enable SSL for the domain(s) you’re |
| 132 | securing occurs in the httpd.conf on in modern system it may have |
| 133 | been relocated to the modules.d/40_mod_ssl.conf file. To begin, |
| 134 | make a backup of the file. Then, open it in your favorite text |
| 135 | editor.</para> |
| 136 | <para>You can add the virtual host domain you’re securing into the |
| 137 | <emphasis>"IfDefine HAVE_SSL"</emphasis> section noted |
| 138 | above. A minimal example entry straight from a default httpd.conf |
| 139 | file is listed below for your reference. You should modify items |
| 140 | such as paths and IP addresses to fit your own environment. The SSL |
| 141 | port is 443 unless you’re specifically adjusting the port to |
| 142 | another port number. This is depicted in |
| 143 | <xref linkend="examp_SSL_Config"/> .</para> |
| 144 | <example id="examp_SSL_Config"> |
| 145 | <title>Sample SSL Config</title> |
| 146 | <programlisting> |
| 147 | |
| 148 | ./modules.d/40_mod_ssl.conf contains: |
| 149 | |
| 150 | <IfDefine HAVE_SSL> |
| 151 | <IfModule !mod_ssl.c> |
| 152 | LoadModule ssl_module modules/mod_ssl.so |
| 153 | </IfModule> |
| 154 | </IfDefine> |
| 155 | |
| 156 | <IfModule mod_ssl.c> |
| 157 | Listen 0.0.0.0:443 |
| 158 | <IfModule mod_mime.c> |
| 159 | |
| 160 | AddType application/x-x509-ca-cert .crt |
| 161 | AddType application/x-pkcs7-crl .crl |
| 162 | |
| 163 | </IfModule> |
| 164 | SSLPassPhraseDialog builtin |
| 165 | SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000) |
| 166 | SSLSessionCacheTimeout 300 |
| 167 | SSLMutex default |
| 168 | SSLRandomSeed startup /dev/urandom 256 |
| 169 | SSLRandomSeed connect builtin |
| 170 | SSLCryptoDevice builtin |
| 171 | </IfModule> |
| 172 | |
| 173 | ./conf/vhosts.d/99_domainname_com_ssl.conf: |
| 174 | |
| 175 | <IfModule mod_ssl.c> |
| 176 | <VirtualHost default:443> |
| 177 | ServerName www.domainname.com |
| 178 | ServerAlias domainname.com |
| 179 | ServerAdmin admin@domainname.com |
| 180 | ErrorLog logs/ssl_error_domainname_com_log |
| 181 | |
| 182 | <IfModule mod_log_config.c> |
| 183 | TransferLog logs/ssl_access_domainname_com_log |
| 184 | </IfModule> |
| 185 | |
| 186 | SSLEngine on |
| 187 | SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW |
| 188 | SSLProtocol all -SSLv2 |
| 189 | SSLCertificateFile /etc/ssl/apache/domainname.com.crt |
| 190 | SSLCertificateKeyFile /etc/ssl/apache/domainname.com.key |
| 191 | |
| 192 | <FilesMatch “\.(cgi|shtml|phtml|php)$”> |
| 193 | SSLOptions +StdEnvVars |
| 194 | </FilesMatch> |
| 195 | |
| 196 | DocumentRoot “/var/www/domainname_com/html” |
| 197 | |
| 198 | <Directory “/var/www/domainname_com/html”> |
| 199 | Options Indexes FollowSymLinks MultiViews |
| 200 | AllowOverride None |
| 201 | Order allow,deny |
| 202 | Allow from all |
| 203 | </Directory> |
| 204 | |
| 205 | ScriptAlias /cgi-bin/ “/var/www/domainname_com/cgi-bin/” |
| 206 | |
| 207 | <Directory “/var/www/domainname_com/cgi-bin”> |
| 208 | SSLOptions +StdEnvVars |
| 209 | AllowOverride None |
| 210 | Options None |
| 211 | Order allow,deny |
| 212 | Allow from all |
| 213 | </Directory> |
| 214 | |
| 215 | <IfModule mod_setenvif.c> |
| 216 | BrowserMatch “.*MSIE.*” nokeepalive ssl-unclean-shutdown \ |
| 217 | downgrade-1.0 force-response-1.0 |
| 218 | </IfModule> |
| 219 | |
| 220 | <IfModule mod_log_config.c> |
| 221 | CustomLog logs/ssl_request_log \ |
| 222 | “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b” |
| 223 | </IfModule> |
| 224 | |
| 225 | <IfModule mod_rewrite.c> |
| 226 | RewriteEngine On |
| 227 | RewriteOptions inherit |
| 228 | </IfModule> |
| 229 | |
| 230 | </VirtualHost> |
| 231 | |
| 232 | </IfModule> |
| 233 | |
| 234 | |
| 235 | </programlisting> |
| 236 | </example> |
| 237 | <important> |
| 238 | <title>Restart</title> |
| 239 | <para>To have these changes take effect, Restart Apache!</para> |
| 240 | </important> |
| 241 | <para>Now, you must restart Apache to ensure that all your |
| 242 | modifications are enabled. In Redhat based systems type the |
| 243 | following:</para> |
| 244 | <screen> |
| 245 | # service httpd restart |
| 246 | </screen> |
| 247 | <para>In other system you could use the Apache control command by |
| 248 | typing the following:</para> |
| 249 | <screen> |
| 250 | # /usr/sbin/apachectl -k restart |
| 251 | </screen> |
| 252 | </section> |
| 253 | </chapter> |