blob: 29bafc544cb338890e5126cdd7b4a41c8dfa5977 [file] [log] [blame]
dacarver637f2ee2008-12-05 16:00:53 +00001<?xml version='1.0'?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.docbook.org/xml/4.5/docbookx.dtd">
3<chapter id="SecuringYourApacheServer">
4 <title>Securing Your Apache Server with SSL</title>
5 <para>Test insert of some code.</para>
6 <section>
7 <title>Getting Started with SSL on Apache</title>
8 <para>There are a few key ingredients you will need to use with
9 Apache to secure your Web server: OpenSSL, mod_ssl, and root access
10 to the server.</para>
11 <para>OpenSSL is a command line toolkit for using secure sockets
12 layer encryption on a server and can be acquired from
13 <ulink url="http://www.openssl.org">http://www.openssl.org</ulink>
14 . This tool works with Apache module mod_ssl in carrying out
15 SSL-related tasks. Any modern Linux/Unix installation will come
16 with OpenSSL, you will be required to install OpenSSL if your
17 hosting you Apache sever on Windows. You will need root/admin
18 privileges to install OpenSSL.</para>
19 <para>You must also ensure that mod_ssl is available on your
20 server. To see which modules are active in Apache, issue the
21 following command in a Terminal as root user on your server.</para>
22 <screen>
23# httpd –l
24 </screen>
25 <para>If you have a recent Linux distribution installed, it is
26 likely Apache’s modules are compiled as dynamic loadable modules,
27 in which case you’ll need to edit your httpd.conf file and check
28 that the following line is uncommented.</para>
29 <screen>
30LoadModule ssl_module modules/libmodssl.so
31 </screen>
32 <para>Restarting Apache will load the module into action.</para>
33 <screen>
34# service httpd restart
35 </screen>
36 <note>
37 <para>Note that in recent Apache distributions, the httpd.conf
38 file contains an <emphasis>&quot;IfDefine
39 HAVE_SSL&quot;</emphasis> section that is intended to contain the
40 <emphasis>&quot;VirtualHost&quot;</emphasis> definitions for all
41 your SSL Websites. By placing these definitions within the
42 <emphasis>&quot;IfDefine&quot;</emphasis> section, you can ensure
43 that the sites will not be made available unless SSL support is
44 successfully loaded on the server. This prevents any problems
45 arising in which lack of SSL could expose your secure site</para>
46 </note>
47 </section>
48 <section>
49 <title>Create a Local Key Pair</title>
50 <para>If you have not already done so, your first step should be to
51 create a local private/public key from which you can generate
52 certificate requests. These can then be used for self-signed
53 certificates, or when purchasing a certificate from a CA.</para>
54 <para>OpenSSL allows us to use the command line to generate keys.
55 You have the option of using strong encryption and a passphrase to
56 secure your private key, as shown below.</para>
57 <screen>
58# cd /etc/ssl/apache/
59# openssl genrsa -des3 -out domainname.com.key 2048
60 </screen>
61 <para>Typing the above on the command line will create a private
62 key using TripleDES encryption, 1024 being the number of bits
63 generated in the key. There are options for lower encryption
64 levels, however, these are not recommended for those with servers
65 that are accessible via the Internet.</para>
66 <para>The key will be created in the directory you’re in.</para>
67 <para>Finally, you should modify the permissions to restrict access
68 to the new key.</para>
69 <screen>
70# cd /etc/ssl/apache/
71# chmod 400 domainname.com.key
72# chown root.root domainname.com.key
73 </screen>
74 <para>This ensures that only the root user has access to this file,
75 and still requires the passphrase you may have used to create the
76 key in order to open.</para>
77 </section>
78 <section>
79 <title>Generating a Certificate Signing Request</title>
80 <para>To purchase an SSL certificate from a CA, you need first to
81 generate what is called a Certificate Signing Request (CSR). This
82 is submitted to the CA of your choice, and is used to create the
83 official and singed SSL certificate that will be returned to you,
84 and with which you may secure your Web server.</para>
85 <screen>
86# cd /etc/ssl/apache/
87# openssl req -new -key domainname.com.key -out domainname.com.csr
88
89 </screen>
90 <para>This command creates the .csr file that is sent or uploaded
91 to a CA during the process of ordering an SSL certificate.</para>
92 </section>
93 <section>
94 <title>Receiving and Installing Your SSL Certificate</title>
95 <para>Generally, CAs provide detailed instructions for the
96 installation of their SSL certificates; however, I’ll cover some
97 broad points here.</para>
98 <para>The CA from which you order a certificate will email you
99 either the certificate, or a link at which you can download it.
100 Follow the instructions provided precisely—especially with regards
101 to opening a certificate in a text editor. Do not use a word
102 processor or rich text editor, as the certificate code can become
103 corrupted. You should also take care to ensure that no leading or
104 trailing spaces follow the beginning and end of the certificate
105 code in <xref linkend="examp_Emailed_Certificate"/> .</para>
106 <example id="examp_Emailed_Certificate">
107 <title>Sample Emailed Certificate</title>
108 <programlisting>
109-----BEGIN CERTIFICATE-----
110MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMCVVMx
111ETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEYMBYGA1UE
112ChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRhcmlvMR0wGwYDVQQDExRv
113bnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJARYaYmlsbGZAb250YXJp
114by5qcml3b3JsZC5jb20wHhcNMDUwNDA3MjI0MTU3WhcNMDYwNDA3MjI0MTU3WjCB
115rDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJp
116bmdmaWxlZDEYMBYGA1UEChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRh
117cmlvMR0wGwYDVQQDExRPbnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJ
118ARYaYmlsbGZAb250YXJpby5qcml3b3JsZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
119gY0AMIGJAoGBAM81vIgjw0DWAfReVKthdvwe4YP4Z29UU2QZKx/cTt7pJYnW2vnD
120pieGoIyiWr5qW+rmtEFRe1yqarZxU0oGyz2w/1ZlOrhU6vBvsa4JOY6DndSixiRq
121jVpzspNk9iJUA5AcjKQVC7SCgDHeySLyHm/zzNKOlATRge3HMgge/qzbAgMBAAEw
122DQYJKoZIhvcNAQEEBQADgYEAS6MTN6SWlXu24JhNBPjYpwNs/h0HJ+s4uZnQAq49
123pPoRm8omMFx4ilEwuihIUnH0Q9rG6hViiThq6pxRj3gkY8UJ5UaKuXr9yLcfNGf5
124r6iaPTHeiauHVqXeBfY+ZWTWlIl9FNePo8Sc9eYI8s/KuR+dn97iYmTAHC8kOzlY
125gGg=
126-----END CERTIFICATE-----
127 </programlisting>
128 </example>
129 <para>The signed certificate returned by the CA should be written
130 to domainname.com.crt in the /etc/ssl/apache directory.</para>
131 <para>Configuring Apache to enable SSL for the domain(s) you’re
132 securing occurs in the httpd.conf on in modern system it may have
133 been relocated to the modules.d/40_mod_ssl.conf file. To begin,
134 make a backup of the file. Then, open it in your favorite text
135 editor.</para>
136 <para>You can add the virtual host domain you’re securing into the
137 <emphasis>&quot;IfDefine HAVE_SSL&quot;</emphasis> section noted
138 above. A minimal example entry straight from a default httpd.conf
139 file is listed below for your reference. You should modify items
140 such as paths and IP addresses to fit your own environment. The SSL
141 port is 443 unless you’re specifically adjusting the port to
142 another port number. This is depicted in
143 <xref linkend="examp_SSL_Config"/> .</para>
144 <example id="examp_SSL_Config">
145 <title>Sample SSL Config</title>
146 <programlisting>
147
148./modules.d/40_mod_ssl.conf contains:
149
150&lt;IfDefine HAVE_SSL&gt;
151 &lt;IfModule !mod_ssl.c&gt;
152 LoadModule ssl_module modules/mod_ssl.so
153 &lt;/IfModule&gt;
154&lt;/IfDefine&gt;
155
156&lt;IfModule mod_ssl.c&gt;
157 Listen 0.0.0.0:443
158&lt;IfModule mod_mime.c&gt;
159
160AddType application/x-x509-ca-cert .crt
161AddType application/x-pkcs7-crl .crl
162
163&lt;/IfModule&gt;
164 SSLPassPhraseDialog builtin
165 SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
166 SSLSessionCacheTimeout 300
167 SSLMutex default
168 SSLRandomSeed startup /dev/urandom 256
169 SSLRandomSeed connect builtin
170 SSLCryptoDevice builtin
171&lt;/IfModule&gt;
172
173./conf/vhosts.d/99_domainname_com_ssl.conf:
174
175&lt;IfModule mod_ssl.c&gt;
176 &lt;VirtualHost default:443&gt;
177 ServerName www.domainname.com
178 ServerAlias domainname.com
179 ServerAdmin admin@domainname.com
180 ErrorLog logs/ssl_error_domainname_com_log
181
182 &lt;IfModule mod_log_config.c&gt;
183 TransferLog logs/ssl_access_domainname_com_log
184 &lt;/IfModule&gt;
185
186 SSLEngine on
187 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
188 SSLProtocol all -SSLv2
189 SSLCertificateFile /etc/ssl/apache/domainname.com.crt
190 SSLCertificateKeyFile /etc/ssl/apache/domainname.com.key
191
192 &lt;FilesMatch “\.(cgi|shtml|phtml|php)$”&gt;
193 SSLOptions +StdEnvVars
194 &lt;/FilesMatch&gt;
195
196 DocumentRoot “/var/www/domainname_com/html”
197
198 &lt;Directory “/var/www/domainname_com/html”&gt;
199 Options Indexes FollowSymLinks MultiViews
200 AllowOverride None
201 Order allow,deny
202 Allow from all
203 &lt;/Directory&gt;
204
205 ScriptAlias /cgi-bin/ “/var/www/domainname_com/cgi-bin/”
206
207 &lt;Directory “/var/www/domainname_com/cgi-bin”&gt;
208 SSLOptions +StdEnvVars
209 AllowOverride None
210 Options None
211 Order allow,deny
212 Allow from all
213 &lt;/Directory&gt;
214
215 &lt;IfModule mod_setenvif.c&gt;
216 BrowserMatch “.*MSIE.*” nokeepalive ssl-unclean-shutdown \
217 downgrade-1.0 force-response-1.0
218 &lt;/IfModule&gt;
219
220 &lt;IfModule mod_log_config.c&gt;
221 CustomLog logs/ssl_request_log \
222 “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
223 &lt;/IfModule&gt;
224
225 &lt;IfModule mod_rewrite.c&gt;
226 RewriteEngine On
227 RewriteOptions inherit
228 &lt;/IfModule&gt;
229
230 &lt;/VirtualHost&gt;
231
232&lt;/IfModule&gt;
233
234
235 </programlisting>
236 </example>
237 <important>
238 <title>Restart</title>
239 <para>To have these changes take effect, Restart Apache!</para>
240 </important>
241 <para>Now, you must restart Apache to ensure that all your
242 modifications are enabled. In Redhat based systems type the
243 following:</para>
244 <screen>
245# service httpd restart
246 </screen>
247 <para>In other system you could use the Apache control command by
248 typing the following:</para>
249 <screen>
250# /usr/sbin/apachectl -k restart
251 </screen>
252 </section>
253</chapter>