Apache with SSL, Building and Configuration

Apache with ssl support should be the basic platform for providing web services... There are several different implementations to choose from, some commercial (stronghold) and some open source (apache+ssl, apache+modssl). We've choseen to work with apache+ssl because the creators emphasize stability over new features (modssl).

As with squid, you can use the FreeBSD ports copy of apache, or build your own. Much of how you install and configure Apache will depend on how the server will be used.

Will the server host lots of user websites, (the UO 20,0000) , or just a few web-sites?

Is the machine to be a dedicated webserver

Is the webserver an interface to other applications

Building apache today

We're going to build apache with two optional componets

ssl support
suexec

What is suexec? suexec is an Apache module which allows cgi programs to run as the user who put them in place rather than as the uid of the webserver (in this case nobody) This fixes some security problems and creates others.

Files

For this build therefore, we need three components

openssl-0.9.6a.tar.gz
apache_1.3.19.tar.gz
apache_1.3.19+ssl_1.42.tar.gz
Get them from noc.ws.afnog.org (from above) and drop them in /u/src/
Also Grab the example-simple-ssl-httpd.conf

Building OpenSSL

tar -zxvf openssl-0.9.6a.tar.gz
cd openssl-0.9.6a/
Take a look at the README and INSTALL files.
./config
make
make test
make install

 
  Uncompressing Apache and adding the SSL patch

tar -zxvf apache_1.3.19.tar.gz
mv apache_1.3.19+ssl_1.42.tar.gz apache_1.3.19/.
cd apache_1.3.19
tar -zxvf apache_1.3.19+ssl_1.42.tar.gz
take a look at README.SSL
./FixPatch
Say "no" to OpenSSL patch
Say "yes" to patching Apache

 
  Configuring and building Apache
   
  

     ./configure --prefix=/usr/local/apache --enable-suexec --suexec-caller=nobody 
       
    
 make 
       
    
 make install 
       
  
  This is the hairy bit(making a certificate)
   
  

     cd /usr/local/ssl/certs 
       
    
 Create the key and request /usr/local/ssl/bin/openssl 
      req -new > new.cert.csr

      [Prepare to create a passphrase] 
       
    
 Remove the passphrase from the key openssl rsa 
      -in privkey.pem -out new.cert.key

      [You'll need the passphrase from above] 
       
    
 Convert request into signed cert openssl x509 
      -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 
       
    
 So what do you have as a result of this? An ssl certificate file 
      called /usr/local/ssl/certs/new.cert.cert and 
      a certificate keyfile called /usr/local/ssl/certs/new.cert.key 
  
  Configuring Apache
   
  

     Here's an example server config 
       
      
     
    
 
    using ssl means you're running two virtual servers 
    
       one on port 80 (the regular server) 
         
      
 one on port 443 (the ssl server) 
         
    
    
 You have more directories to keep track of because of your keys 
       
    
 the key that was generated is valid for only one hostname 
       
    
 So, a key per virtual host is a good idea if you're doing virtual hosts 
      with ssl servers as well 
       
    
 Unsigned keys are fine for things like running your webmail services 
      through ssl, for ecommerce type applications having a key signed by a reliable 
      CA (certificate authority) is considered normal. 
    
 CA's include Verisign (USA), Thawte (South Africa) and others 
       
    
 http.conf example a generic 
      config for ssl 
     
  
   
  The last couple steps
   
   
  

     
     cp /u/src/example-simple-ssl-httpd.conf /usr/local/apache/conf/ 
       
    
 Lets edit /usr/local/apache/conf/example-simple-ssl-httpd.conf 
       
     There are a couple of values we'll have to change in order to 
      localize it to the local host 
       
     
    
 Ok, from the config file we know we need 
      to create a directory in order to store the ssl cache file mkdir 
      /usr/local/apache/cache and create the file itself 
      touch /usr/local/apache/cache/file 
       
      
     
    
 So now lets test our config file for errors /usr/local/apache/bin/httpsd 
      -t -f /usr/local/apache/conf/example-simple-ssl-httpd.conf 
       
    
 If all is well... Run it. /usr/local/apache/bin/httpsd 
      -f /usr/local/apache/conf/example-simple-ssl-httpd.conf 
       
    
 now to connect to your webserver on ports 80 
      and 443 
     
  
   
   
  

    DONE
  
   
  
References
   Apache HTTP server 
  
 Apache-SSL.org 
  
 OpenSSL.org 
  
 
  

  
    Last modified: 
  Sun May 6 09:40:54 PDT 2001