blob: 29bafc544cb338890e5126cdd7b4a41c8dfa5977 [file] [log] [blame]
dacarver637f2ee2008-12-05 16:00:53 +00001<?xml version='1.0'?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "">
3<chapter id="SecuringYourApacheServer">
4 <title>Securing Your Apache Server with SSL</title>
5 <para>Test insert of some code.</para>
6 <section>
7 <title>Getting Started with SSL on Apache</title>
8 <para>There are a few key ingredients you will need to use with
9 Apache to secure your Web server: OpenSSL, mod_ssl, and root access
10 to the server.</para>
11 <para>OpenSSL is a command line toolkit for using secure sockets
12 layer encryption on a server and can be acquired from
13 <ulink url=""></ulink>
14 . This tool works with Apache module mod_ssl in carrying out
15 SSL-related tasks. Any modern Linux/Unix installation will come
16 with OpenSSL, you will be required to install OpenSSL if your
17 hosting you Apache sever on Windows. You will need root/admin
18 privileges to install OpenSSL.</para>
19 <para>You must also ensure that mod_ssl is available on your
20 server. To see which modules are active in Apache, issue the
21 following command in a Terminal as root user on your server.</para>
22 <screen>
23# httpd –l
24 </screen>
25 <para>If you have a recent Linux distribution installed, it is
26 likely Apache’s modules are compiled as dynamic loadable modules,
27 in which case you’ll need to edit your httpd.conf file and check
28 that the following line is uncommented.</para>
29 <screen>
30LoadModule ssl_module modules/
31 </screen>
32 <para>Restarting Apache will load the module into action.</para>
33 <screen>
34# service httpd restart
35 </screen>
36 <note>
37 <para>Note that in recent Apache distributions, the httpd.conf
38 file contains an <emphasis>&quot;IfDefine
39 HAVE_SSL&quot;</emphasis> section that is intended to contain the
40 <emphasis>&quot;VirtualHost&quot;</emphasis> definitions for all
41 your SSL Websites. By placing these definitions within the
42 <emphasis>&quot;IfDefine&quot;</emphasis> section, you can ensure
43 that the sites will not be made available unless SSL support is
44 successfully loaded on the server. This prevents any problems
45 arising in which lack of SSL could expose your secure site</para>
46 </note>
47 </section>
48 <section>
49 <title>Create a Local Key Pair</title>
50 <para>If you have not already done so, your first step should be to
51 create a local private/public key from which you can generate
52 certificate requests. These can then be used for self-signed
53 certificates, or when purchasing a certificate from a CA.</para>
54 <para>OpenSSL allows us to use the command line to generate keys.
55 You have the option of using strong encryption and a passphrase to
56 secure your private key, as shown below.</para>
57 <screen>
58# cd /etc/ssl/apache/
59# openssl genrsa -des3 -out 2048
60 </screen>
61 <para>Typing the above on the command line will create a private
62 key using TripleDES encryption, 1024 being the number of bits
63 generated in the key. There are options for lower encryption
64 levels, however, these are not recommended for those with servers
65 that are accessible via the Internet.</para>
66 <para>The key will be created in the directory you’re in.</para>
67 <para>Finally, you should modify the permissions to restrict access
68 to the new key.</para>
69 <screen>
70# cd /etc/ssl/apache/
71# chmod 400
72# chown root.root
73 </screen>
74 <para>This ensures that only the root user has access to this file,
75 and still requires the passphrase you may have used to create the
76 key in order to open.</para>
77 </section>
78 <section>
79 <title>Generating a Certificate Signing Request</title>
80 <para>To purchase an SSL certificate from a CA, you need first to
81 generate what is called a Certificate Signing Request (CSR). This
82 is submitted to the CA of your choice, and is used to create the
83 official and singed SSL certificate that will be returned to you,
84 and with which you may secure your Web server.</para>
85 <screen>
86# cd /etc/ssl/apache/
87# openssl req -new -key -out
89 </screen>
90 <para>This command creates the .csr file that is sent or uploaded
91 to a CA during the process of ordering an SSL certificate.</para>
92 </section>
93 <section>
94 <title>Receiving and Installing Your SSL Certificate</title>
95 <para>Generally, CAs provide detailed instructions for the
96 installation of their SSL certificates; however, I’ll cover some
97 broad points here.</para>
98 <para>The CA from which you order a certificate will email you
99 either the certificate, or a link at which you can download it.
100 Follow the instructions provided precisely—especially with regards
101 to opening a certificate in a text editor. Do not use a word
102 processor or rich text editor, as the certificate code can become
103 corrupted. You should also take care to ensure that no leading or
104 trailing spaces follow the beginning and end of the certificate
105 code in <xref linkend="examp_Emailed_Certificate"/> .</para>
106 <example id="examp_Emailed_Certificate">
107 <title>Sample Emailed Certificate</title>
108 <programlisting>
126-----END CERTIFICATE-----
127 </programlisting>
128 </example>
129 <para>The signed certificate returned by the CA should be written
130 to in the /etc/ssl/apache directory.</para>
131 <para>Configuring Apache to enable SSL for the domain(s) you’re
132 securing occurs in the httpd.conf on in modern system it may have
133 been relocated to the modules.d/40_mod_ssl.conf file. To begin,
134 make a backup of the file. Then, open it in your favorite text
135 editor.</para>
136 <para>You can add the virtual host domain you’re securing into the
137 <emphasis>&quot;IfDefine HAVE_SSL&quot;</emphasis> section noted
138 above. A minimal example entry straight from a default httpd.conf
139 file is listed below for your reference. You should modify items
140 such as paths and IP addresses to fit your own environment. The SSL
141 port is 443 unless you’re specifically adjusting the port to
142 another port number. This is depicted in
143 <xref linkend="examp_SSL_Config"/> .</para>
144 <example id="examp_SSL_Config">
145 <title>Sample SSL Config</title>
146 <programlisting>
148./modules.d/40_mod_ssl.conf contains:
150&lt;IfDefine HAVE_SSL&gt;
151 &lt;IfModule !mod_ssl.c&gt;
152 LoadModule ssl_module modules/
153 &lt;/IfModule&gt;
156&lt;IfModule mod_ssl.c&gt;
157 Listen
158&lt;IfModule mod_mime.c&gt;
160AddType application/x-x509-ca-cert .crt
161AddType application/x-pkcs7-crl .crl
164 SSLPassPhraseDialog builtin
165 SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
166 SSLSessionCacheTimeout 300
167 SSLMutex default
168 SSLRandomSeed startup /dev/urandom 256
169 SSLRandomSeed connect builtin
170 SSLCryptoDevice builtin
175&lt;IfModule mod_ssl.c&gt;
176 &lt;VirtualHost default:443&gt;
177 ServerName
178 ServerAlias
179 ServerAdmin
180 ErrorLog logs/ssl_error_domainname_com_log
182 &lt;IfModule mod_log_config.c&gt;
183 TransferLog logs/ssl_access_domainname_com_log
184 &lt;/IfModule&gt;
186 SSLEngine on
188 SSLProtocol all -SSLv2
189 SSLCertificateFile /etc/ssl/apache/
190 SSLCertificateKeyFile /etc/ssl/apache/
192 &lt;FilesMatch “\.(cgi|shtml|phtml|php)$”&gt;
193 SSLOptions +StdEnvVars
194 &lt;/FilesMatch&gt;
196 DocumentRoot “/var/www/domainname_com/html”
198 &lt;Directory “/var/www/domainname_com/html”&gt;
199 Options Indexes FollowSymLinks MultiViews
200 AllowOverride None
201 Order allow,deny
202 Allow from all
203 &lt;/Directory&gt;
205 ScriptAlias /cgi-bin/ “/var/www/domainname_com/cgi-bin/”
207 &lt;Directory “/var/www/domainname_com/cgi-bin”&gt;
208 SSLOptions +StdEnvVars
209 AllowOverride None
210 Options None
211 Order allow,deny
212 Allow from all
213 &lt;/Directory&gt;
215 &lt;IfModule mod_setenvif.c&gt;
216 BrowserMatch “.*MSIE.*” nokeepalive ssl-unclean-shutdown \
217 downgrade-1.0 force-response-1.0
218 &lt;/IfModule&gt;
220 &lt;IfModule mod_log_config.c&gt;
221 CustomLog logs/ssl_request_log \
222 “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
223 &lt;/IfModule&gt;
225 &lt;IfModule mod_rewrite.c&gt;
226 RewriteEngine On
227 RewriteOptions inherit
228 &lt;/IfModule&gt;
230 &lt;/VirtualHost&gt;
235 </programlisting>
236 </example>
237 <important>
238 <title>Restart</title>
239 <para>To have these changes take effect, Restart Apache!</para>
240 </important>
241 <para>Now, you must restart Apache to ensure that all your
242 modifications are enabled. In Redhat based systems type the
243 following:</para>
244 <screen>
245# service httpd restart
246 </screen>
247 <para>In other system you could use the Apache control command by
248 typing the following:</para>
249 <screen>
250# /usr/sbin/apachectl -k restart
251 </screen>
252 </section>