1 / 7

Apache ssl

Apache ssl. Objectives Setup Apache + ssl Contents Recompile Apache for mod_ssl Generating Certifikates Self signed certificate SSL Virtualhos Practical Setup Apache with SSL Summary. Apache need module ssl. Goto Apache 2 sourcetree Configure Apache2 for SSL support Make Apache2

zareh
Télécharger la présentation

Apache ssl

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Apache ssl • Objectives • Setup Apache + ssl • Contents • Recompile Apache for mod_ssl • Generating Certifikates • Self signed certificate • SSL Virtualhos • Practical • Setup Apache with SSL • Summary

  2. Apache need module ssl • Goto Apache 2 sourcetree • Configure Apache2 for SSL support • Make Apache2 • Install Apache2 binaries and modules plus configuration • Add ssl_module to /etc/httpd/httpd.conf • After last LoadModule add: • Include /etc/httpd/extras/httpd-ssl.conf in httpd.conf # cd /usr/local/src/apache-2.2.0 # ./configure --enable-layout=SuSE --libexecdir=/usr/lib/httpd/modules --enable-mods-shared=all --enable-ssl # make # make install LoadModule ssl_module lib/httpd/modules/mod_ssl.so Include /etc/httpd/extra/httpd-ssl.conf

  3. Generating a Private Key and CSR • Create a storage for certificates and keys • Create your RSA Private Key 1024 bit RSA Triple-DES • Remove the pass-phrase • Unless you want to enter it everytime Apache2 is started/rebooted # cd /etc/httpd ; mkdir certs # openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024 # openssl rsa -in server.key -out server.pem

  4. Make Certificate Signing Request (CSR) • CSR generation session • You are about to be asked to enter information that will be incorporated into your certificate request. • What you are about to enter is what is called a Distinguished Name or a DN. openssl req -new -key server.pem -out server.csr Country Name (2 letter code) [AU]:SE State or Province Name (full name) [Some-State]:Stockholm Locality Name (eg, city) []:Stockholm Organization Name (eg, company) [Internet Widgits Pty Ltd]:My-Site, AB. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.my-site.com Email Address []:webmaster@my-site.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

  5. Generating a Self-Signed Certificate • To generate a temporary certificate which is good for 60 days, issue the following command • Here you self-sign your server.csr to prove that you are you, it is nothing wrong with that and security is as high as any signing your certificates. Only difference is that some appz (browsers) will complain that it page / server is not signed by a trusted party. # openssl x509 -req -days 60 -in server.csr -signkey server.pem -out server.crt

  6. Installing the Private Key and Certificate • Configuring SSL Enabled Virtual Hosts <IfDefine SSL> <VirtualHost _default_:443> ServerAdmin webmaster@my-site.com DocumentRoot /usr/local/httpd/securedocs ServerName www.my-site.com #ScriptAlias /cgi-bin/ /usr/local/httpd/cgi-bin/ SSLEngine on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.pem #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /> AllowOverride FileInfo AuthConfig Limit Options Indexes MultiViews Includes ExecCGI FollowSymLinks <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order deny,allow Deny from all </Limit> </Directory> </VirtualHost> </IfDefine>

  7. Restarting Apache2 and test ssl • Make the virtualhost DocumentRoot • Add a ”testpage” to your secure DocumentRoot • Stop and start Apache2 • Check Apache2 logbook • You should be able to see that mod_ssl is loaded and configured • Open your secure page in a web-browser # mkdir /usr/local/httpd/securedocs # echo ”Not yet, soon now!” > /usr/local/httpd/securedocs/index.html # apachectl stop ; apachectl start # tail /var/log/httpd/error_log [Tue Feb 21 20:29:39 2006] [notice] caught SIGTERM, shutting down [Tue Feb 21 20:29:40 2006] [notice] Digest: generating secret for digest authentication ... [Tue Feb 21 20:29:40 2006] [notice] Digest: done [Tue Feb 21 20:29:41 2006] [notice] Apache/2.2.0 (Unix) DAV/2 PHP/5.1.2 mod_ssl/2.2.0 OpenSSL/0.9.7e configured -- resuming normal operations https://www.my-site.com https://192.168.1.1

More Related