This article outlines the steps to installing the Apache Web
Server using the latest SSL technology.
Installation of Apache and SSL ( Requires OpenSSL >
openssl-0.9.5a or better. www.openssl.com ).
- Download the latest Apache Webserver from:
- http://httpd.apache.org/dist/httpd/apache_1.3.19.tar.gz
- tar zxvf apache_1.3.19.tar.gz
- Download the latest apache+ssl source from:
ftp://opensores.thebunker.net/pub/mirrors/apachessl/apache_1.3.9+ssl_1.42.tar.gz
- mv apache_1.3.9+ssl_1.42.tar.gz apache_1.3.19
- tar zxvf apache_1.3.9+ssl_1.42.tar.gz
- Run the executable: ./FixPatch
- ./configure --prefix=/usr/local/apache * ./configure -help to
get other config time options as needed.
- make
- su -
- make install
- ln -s /usr/local/apache/conf/httpsd.conf
/usr/local/apache/conf/httpd.conf
- cd /usr/local/apache ; mkdir certs
- 13. cd certs
- openssl genrsa -des3 -out ssl.key 1024 -days 365
Remember the PEM password you choose! This command will create
ssl.key -days 365 means you will have to do steps 14 & 16 again
in 365 days
- At his point, you are going to create a self-signed Certificate
for your site. If you will be using a CA ( Certifying Authority )
Certificate, please review http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO-3.html#ss3.2
What is veryimportant to remember in creating
the the ssl.crt file is deciding "what is the URL people enter to
come to my web site? ". For example, if you own blah.com, and you
define blah.com when creating the ssl.crt key, then people who
access your site via www.blah.com will get a "Certificate Name
Check" that might scare people away because it contains a ominous
warning. People who access your site via http://blah.com will not
get this warning. However you choose to name your server that is
how you must define ServerName in the <VirtualHost> section
below.
- openssl req -new -key ssl.key -x509 -out ssl.crt Enter your
PEM; this will create ssl.crt
This is the Information you will be presented with when issuing
this command:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:South Carolina
Locality Name (eg, city) []:West Columbia
Organization Name (eg,company) [Internet Widgits Pty Ltd]:Michael
Sharp
Organizational Unit Name (eg, section) []:Secure Web Server
Common Name (eg, your name or your server's hostname)
[]:reality.dynip.com
Email Address []:msharp@medmail.com
The Common Name portion is where you define what I was talking
about in 15.
- edit /usr/local/apache/conf/httpsd.conf and at the bottom,
under <VirtualHost> add this:
SSLDisable
<VirtualHost your IP or domain name:443> EXAMPLE:
<VirtualHost 192.168.1.3:443>
SSLCacheServerPort logs/gcache_port
SSLCacheServerPath bin/gcache
SSLSessionCacheTimeout 10
SSLVerifyClient 0
SSLVerifyDepth 10
SSLCacheServerRunDir /tmp
SSLFakeBasicAuth
SSLRandomFile /dev/random 1024
DocumentRoot /usr/local/apache/htdocs ServerName
www.CHANGE-THIS.com
ServerAdmin SOMEONE@SOMEWHERE.COM
ErrorLog /usr/local/apache/logs/httpsd_error.log TransferLog
/usr/local/apache/logs/httpsd_access.log SSLEnable
SSLCertificateFile /usr/local/apache/certs/ssl.crt
SSLCertificateKeyFile /usr/local/apache/certs/ssl.key
</VirtualHost>
You must also comment out DocumentRoot, ServerName, ServerAdmin,
ErrorLog, and TransferLog in the Main Server configuration:
#DocumentRoot
#ServerName
#ErrorLog
#ServerAdmin
#TransferLog
Where you see:
# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root
initially.
#
Port 8080
change 8080 to 443
Add any other configuration variables to the httpsd.conf file
per your needs.
- Start the Server:
/usr/local/apache/bin/httpsdctl start
You will have to issue your PEM to start the web server! Don't
panic just because it doesn't start immediately give it a few
moments.
- Check out: https://YOUR-WEB-SITE to review if you were
successful.
- Now add your content to /usr/local/apache/htdocs
You're done!
Michael Sharp PGP key
at https://reality.dynip.com/michael-sharp.pgp.
Employed with Providence Heart Institute in Columbia, SC Heavily
involved in Linux Advocacy and Linux Security
|