A.3. Installing Apache to Use SSL
This
section describes how to install a secure version of the Apache web
server. There are three major differences encountered when installing
Apache to use SSL versus installing Apache normally:
- Secure Sockets Layer software is required.
-
There are several sources of Secure Sockets Layer software. The
OpenSSL is probably the most-commonly used with Apache
- SSL patches must be applied to the Apache code before it is configured and compiled.
-
Unlike installing other Apache modules, SSL installation requires
that the core Apache source code be modified or patched. Normal
Apache modules—such as the PHP module—interact with
Apache using a defined application programming interface or API. The
Apache API provides functions that hide the details of dealing with
HTTP from Apache module developers.
However, the code that implements SSL needs to encrypt and decrypt
HTTP requests and responses. The Apache API is aimed at the wrong
level, and SSL patches need to be applied to Apache. There are
several open source and commercial SSL extensions and patches to
Apache available. ApacheSSL (http://www.apache-ssl.org
)
and
mod_ssl
(http://www.modssl.org) are both
open source and easy to install. We describe the installation of
ApacheSSL in this section.
- A site certificate needs to be obtained and configured.
-
A self-signed certificate can be created, but it needs to replaced
with a purchased certificate from a Certification Authority when an
application goes live. There are dozens of organizations that can
provide authoritative certificates, including companies such as
Verisign and Thawte.
A.3.1. Installing OpenSSL
-
Get the latest version of the
OpenSSL
from http://www.openssl.org/source/. Download the
Unix tar-ed and gzip-ed file
under the heading "Tarball." For
example, download the file
openssl-0.9.6a.tar.gz.
-
Put the distribution file in a directory that can be used to build
the OpenSSL libraries. In our installation instructions, we use
/usr/local/. The default installation process
installs OpenSSL in /usr/local/ssl. To use
/usr/local/, log in as the
root user of the Linux installation; in any case,
root access is required in Step 5 to install in
the default location.
-
Uncompress and un-tar the distribution file in the
new installation directory using gzip and
tar. If the version downloaded was 0.9.6a, the
commands are:
% gzip -d openssl-0.9.6a.tar.gz
% tar xvf openssl-0.9.6a.tar
The distribution files are listed as they are extracted from the
tar file.
-
Change the directory to the openssl source
directory, run the config script, and then
make the installation. Assuming the version
downloaded is 0.9.6a, the commands are:
% cd openssl-0.9.6a
% ./config
% make
% make test
To install OpenSSL in a directory other than
/usr/local/ssl, run config
with the
openssldir=<directory-path>
directive.
-
Build the install binaries of SSL. To do this, log in as the
root user, and then run the make install
script:
% make install
This creates an installation of SSL in the directory
/usr/local/ssl.
A.3.2. Installing Apache and ApacheSSL
Both Apache and ApacheSSL need to be installed together, and the
ApacheSSL version must match the Apache version. ApacheSSL may not
always be available for the latest version of Apache, so it is worth
checking out the latest ApacheSSL version first. The current version
of ApacheSSL is applied to Apache 1.3.19.
-
Get the latest version of ApacheSSL by selecting a download site from
http://www.apache-ssl.org/
Download the tar-ed and gzip-ed
distribution file. For example,
apache_1.3.19+ssl_1.44.tar.gz.
-
Get the matching version of the Apache web server source code that
also ends with .tar.gz from http://www.apache.org/dist/httpd/. For
example, if the ApacheSSL version downloaded in Step 1 was
apache_1.3.19+ssl_1.44.tar.gz, retrieve
apache_1.3.19.tar.gz.
-
Put the Apache distribution file in the base directory where the
installation is to be performed. For these instructions, use
/usr/local/ as in the Apache installation
instructions earlier in this appendix.
-
Unpack the Apache package first by running gzip -d
<filename> and tar xvf
<filename>. With Apache
Version 1.3.19:
% cd /usr/local
% gzip -d apache_1.3.19.tar.gz
% tar xvf apache_1.3.19.tar
This creates an apache_1.3.19 source directory.
Record the directory name that was created to use in the next steps.
It's assumed from here on that the version is
1.3.19, and the directory is apache_1.3.19.
-
Copy the ApacheSSL distribution into the directory created in Step 4
that already contains the Apache source:
% cp apache_1.3.19+ssl_1.44.tar.gz /usr/local/apache_1.3.19
-
Unpack the ApacheSSL distribution:
% cd /usr/local/apache_1.3.19
% gzip -d apache_1.3.19+ssl_1.44.tar.gz
% tar xvf apache_1.3.19+ssl_1.44.tar
-
Apply the patches using the FixPatch script that
comes with ApacheSSL. This script copies the appropriate files from
the OpenSSL installation:
% ./FixPatch /usr/local/ssl
-
Type yes when prompted:
Do you want me to apply the fixed-up Apache-SSL patch for you? [n] yes
-
You've now applied the patches to Apache and can
continue with the normal installation by following Steps 6 to 10 in
the Apache installation instructions earlier in this
appendix.
A.3.3. Creating a Key and Certificate
For ApacheSSL to operate, it
needs to be configured with a private key and a certificate.
ApacheSSL comes with a script that runs the
openssl utility to create a key and a self-signed
certificate. This is the easiest way to get started. Once the key and
certificate have been created, they need to be configured into
Apache. Again, the version of Apache and the patch applied are
assumed to be Version 1.3.19; if a different version is used, the
following steps need to be changed to include the correct directories
based on the version number.
-
Create the key and signed certificate.
% cd /usr/local/apache_1.3.19/src
% make certificate
-
The make certificate script asks for several
fields including country, state, organization name, and the machine
hostname encoded into the certificate. The script produces a file
that contains both the private key and the signed certificate:
/usr/local/apache_1.3.19/SSLconf/conf/httpsd.pem
-
After logging in as the root user, copy the key
and certificate file into the Apache installation:
% cd /usr/local/apache_1.3.19/SSLconf/conf
% cp httpsd.pem /usr/local/apache/conf/default.pem
-
Modify the httpsd.conf file with a text editor
so that PHP files are processed by the PHP scripting engine. The
configuration file is found in the directory
/usr/local/apache/conf/. Remove the initial
# character from the following line:
AddType application/x-httpd-php .php
-
Modify the httpsd.conf file by changing the
Port from 80 to the secure web
server port 443:
Port 443
-
Add the following lines to the end of the
httpsd.conf file:
#
# SSL Parameters
#
SSLCACertificateFile /usr/local/apache/conf/default.pem
SSLCertificateFile /usr/local/apache/conf/default.pem
SSLCacheServerPath /usr/local/apache/bin/gcache
SSLCacheServerPort 18698
SSLSessionCacheTimeout 3600
-
Start Apache. Unlike a normal Apache installation, ApacheSSL creates
an httpsdctl script:
% /usr/local/apache/bin/httpsdctl start
In some cases, this doesn't correctly start Apache.
If this happens, use the following alternative commands to explicitly
specify the configuration file to use with the secure Apache:
% cd /usr/local/apache/
% bin/httpsd -f conf/httpsd.conf
-
A secure Apache is now running and serving requests on port
443—the default HTTPS port—with SSL. This can be tested
by requesting the resource https://localhost/ with a web browser. The installation process is now
complete.
When a resource such as https://localhost/ is requested with a
browser, the browser alerts the user to an unknown certificate. To
obtain a certificate that will be trusted by users, the
openssl utility needs to be run to create a
private key and a certificate request. The certificate request is
then sent to a Certification Authority to be signed using their
authoritative certificates. There is a fee for this service. While
the Apache configuration allows both the key and the certificate to
be placed in the one file, the private key should not be sent to
anyone, not even the Certification Authority.
If a trusted certificate is required, consult the
OpenSSL documentation that describes how
to create keys and Certificate Signing Requests. This documentation
can be found at http://www.openssl.org/docs/apps/openssl.html.
| | | A.2. Installing the Winestore Examples | | A.4. Installation Resources |
Copyright © 2003 O'Reilly & Associates. All rights reserved.
|
|