You need to place the files server.crt and server.key in your conf directory:

[root@merc root]# cp server.crt server.key /usr/local/apache2/conf/

For simplicity’s sake, I will place all the SSL directives in a different file. Normally, they would reside in the main httpd.conf file, inside <VirtualHost> directives. In this example, I will place an include directive in the httpd.conf file:

Include conf/ssl.conf

You can now set your ssl.conf file. Here is an example:

# Some mime types
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl        .crl

# Server-wide options
Listen 443

SSLPassPhraseDialog builti n
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
  DocumentRoot "/usr/local/apache2/htdocs"
  ServerName new.host.name:443 

ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log

# Enable SSL with specific encryption methods
SSLEngine on
SSLCipherSuite ALL:!ADH:EXPORT56:RC4+RSA:+HIGH:+MEDIUM:
+LOW:+SSLv2:+EXP: +eNULL

# Set the server's key and certificate
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key

# Set specific options
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

# Ugly hack
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# ssl logging
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

You can choose a different server key and certificate for each virtual server you manage. Also, note that Apache will ask you to key in the server.key’s pass-phrase every time it starts.

Remember that this is only a basic configuration, and shouldn’t be used in a production server. For more detailed information about configuring mod_ssl, please read Chapter 3 of the official documentation at http://www.modssl.org/docs/2.8/ssl_reference.html. In this section I explained briefly how to install and configure mod_ssl. I didn’t get into details mainly because the available documentation is excellent.

• Obtain the Apache package from a secure source (such as http://httpd.apache.org), or your distribution’s FTP site or CD-ROM.

• Check the integrity of the package you obtain (using GnuPG, MD5, or using the tools provided by your distribution).

• Be aware of exactly what each directive does, and what possible consequences the directives have for your server’s security. You should configure Apache so that httpd.conf contains only the directives you actually need.

• Apply all the basic security checks on your configuration: file permissions, protection of root’s home page, deletion of any default files, disabling of any extra information on your server, and disabling of the TRACE method.

• Make sure that you have protected important files (such as .htaccess) using mod_access; and make sure that you need to make minimal modifications to your httpd.conf file (uncomment specific, prewritten lines) to block a particular IP address.

• Learn a little about mod_rewrite, and use it to prevent people from using your web site’s images.

• Install and configure SSL (when required) using the latest SSL implementation available; obtain a valid certificate from a Certificate Authority.

• Test your installation’s strength using an automatic auditing program (such as Nikto, Nessus, SAINT, or SARA).  

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.