Bureaucrats, confirmed, Administrators
4,558
edits
Changes
initial writeup
== Docs ==
In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
== Secure Server ==
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type
<source lang="bash">
sudo apache2 -l
</source>
If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command
<source lang="bash">
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
</source>
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
<source lang="python">
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
</source>
<source lang="bash">
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
</source>
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
<source lang="bash">
sudo openssl rsa -in server.key -out server.pem
</source>
Generate the signed certificate
<source lang="bash">
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
</source>
Copy certificate over to the configuration directory
<source lang="bash">
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
</source>
{{Messagebox
| type = success
| text = Because Debian-based systems use "mods-available" and "mods-enabled" through a convention of symbolic links which get included by wildcard in the main apache2.conf; and also because the default "load" configuration file for the module (ssl.conf.load) is already present on the system, you don't have to do anything more than the previous "a2enmod" command to get the module, and it's configuration file read into apache
}}
Modify the (default) configuration file (only if you want to change the available ciphers used)
<source lang="bash">
sudo vi /etc/apache2/mods-available/ssl.conf
</source>
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
<code> SSLCipherSuite HIGH:MEDIUM:!ADH </code>
Now configure our directory paths, and permissions in an Apache configuration file
<source lang="bash">
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
</source>
In addition to setting Document Root, I modified these two directives:
<pre>
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.pem
</pre>
<source lang="bash">
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
</source>
[[Category:Howto]]
[[Category:Apache]]
[[Category:System Administration]]
In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
== Secure Server ==
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type
<source lang="bash">
sudo apache2 -l
</source>
If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command
<source lang="bash">
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
</source>
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
<source lang="python">
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
</source>
<source lang="bash">
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
</source>
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
<source lang="bash">
sudo openssl rsa -in server.key -out server.pem
</source>
Generate the signed certificate
<source lang="bash">
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
</source>
Copy certificate over to the configuration directory
<source lang="bash">
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
</source>
{{Messagebox
| type = success
| text = Because Debian-based systems use "mods-available" and "mods-enabled" through a convention of symbolic links which get included by wildcard in the main apache2.conf; and also because the default "load" configuration file for the module (ssl.conf.load) is already present on the system, you don't have to do anything more than the previous "a2enmod" command to get the module, and it's configuration file read into apache
}}
Modify the (default) configuration file (only if you want to change the available ciphers used)
<source lang="bash">
sudo vi /etc/apache2/mods-available/ssl.conf
</source>
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
<code> SSLCipherSuite HIGH:MEDIUM:!ADH </code>
Now configure our directory paths, and permissions in an Apache configuration file
<source lang="bash">
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
</source>
In addition to setting Document Root, I modified these two directives:
<pre>
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.pem
</pre>
<source lang="bash">
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
</source>
[[Category:Howto]]
[[Category:Apache]]
[[Category:System Administration]]