Secure Installation and Configuration - Apache and SSL (Page 9 of 11 )
At the beginning of this chapter I introduced cryptography as a means of checking that the Apache package I downloaded was correct (digital signatures).
SSL (Secure Sockets Layer) is a protocol used by a web browser (and therefore Apache) to establish an encrypted connection. It is common to see SSL on sites that accept confidential information from their client (for example, credit card numbers or personal details). In this section, I will explain how to compile Apache with mod_ssl, generate the relevant certificate, and have it signed.
To understand SSL in general, you can (and should) read the documentation for mod_ssl at http://www.modssl.org/docs/2.8/. The second chapter, http://www.modssl.org/docs/2.8/ssl_intro.html, is an excellent article based on Frederick Hirsch’s paper “Introducing SSL and Certificates using SSLeay.” Remember that this documentation is valid for mod_ssl as a stand-alone third-party module, and therefore it may not be perfectly applicable to the mod_ssl bundled with Apache 2. x.
Installation for Apache 1.3.x You will first need to download mod_ssl from http://www.modssl.org/, making sure that you select the right package for your version of Apache (in my case, mod_ssl-2.8.14-1.3.29.tar.gz for Apache 1.3.29).
You should then read the INSTALL file, which comes with the package and details all the installation options. I would recommend following the instructions marked as “The flexible APACI-only way,” which show you how to install any third-party modules in Apache (as well as SSL).
Here is the transcript of my installation, which should have exactly the same result as the one I showed at the beginning of the chapter (in this case, OpenSSL was already installed on the target system):
[root@merc apache_source]# tar xvzf apache_1.3.29.tar.gz
apache_1.3.29/
apache_1.3.29/cgi-bin/
apache_1.3.29/cgi-bin/printenv
[...]
apache_1.3.29/src/support/suexec.c
apache_1.3.29/src/support/suexec.h
apache_1.3.29/src/Configuration
[root@merc apache_source]#
[root@merc apache_source]# tar xvzf mod_ssl-2.8.14-1.3.29.tar.gz
mod_ssl-2.8.14-1.3.29/ANNOUNCE
mod_ssl-2.8.14-1.3.29/CHANGES
mod_ssl-2.8.14-1.3.29/CREDITS
mod_ssl-2.8.14-1.3.29/INSTALL
[...]
mod_ssl-2.8.14-1.3.29/pkg.sslsup/mkcert.sh
mod_ssl-2.8.14-1.3.29/pkg.sslsup/sslsup.patch
[root@merc apache_source]#
[root@merc apache_source]# cd mod_ssl-2.8.14-1.3.29/
[root@merc mod_ssl-2.8.14-1.3.29]# ./configure --with-apache=../apache_1.3.29
Configuring mod_ssl/2.8.14 for Apache/1.3.29
+ Apache location: ../apache_1.3.29 (Version 1.3.29)
[...]
[root@merc mod_ssl-2.8.14-1.3.29]# cd ..
[root@merc apache_source]# cd apache_1.3.29
[root@merc apache_1.3.29]# SSL_BASE=/usr ./configure --enable-module=ssl
--prefix=/usr/local/apache1 --enable-module=most --enable-shared=max
[...]
Creating Makefile in src/modules/extra
Creating Makefile in src/modules/proxy
Creating Makefile in src/modules/ssl
[root@merc apache_1.3.29]# make
===> src
make[1]: Entering directory `/root/apache_source/apache_1.3.29'
make[2]: Entering directory `/root/apache_source/apache_1.3.29/src'
===> src/regex
[...]
+--------------------------------------------------------+
make[1]: Leaving directory `/root/apache_source/apache_1.3.29'
<=== src
[root@merc apache_1.3.29]# make install
make[1]: Entering directory `/root/apache_source/apache_1.3.29'
===> [mktree: Creating Apache installation tree]
./src/helpers/mkdir.sh /usr/local/apache1/bin
mkdir /usr/local/apache1
mkdir /usr/local/apache1/bin
./src/helpers/mkdir.sh /usr/local/apache1/bin
./src/helpers/mkdir.sh /usr/local/apache1/libexec
[...]
| Thanks for using Apache. The Apache Group |
| http://www.apache.org/ |
+--------------------------------------------------------+
[root@merc apache_1.3.29]#
Your Apache installation should now be ready to go.
Installation for Apache 2.x mod_ssl is included in Apache 2. x; this makes its installation very simple. All you have to do is add two options to the ./configure script: --enable-ssl (to enable SSL) and -with-ssl=/openssl_directory (to specify OpenSSL’s base directory).
Here is the installation transcript:
[root@merc httpd-2.0.48]# ./configure --prefix=/usr/local
/apache2 --enable-modsshared=most --enable-ssl --with
-ssl=/usr
checking for chosen layout... Apache
checking for working mkdir -p... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
Configuring Apache Portable Runtime library ...
checking for APR... reconfig
[...]
checking for SSL/TLS toolkit base... /usr
checking for SSL/TLS toolkit version... OpenSSL 0.9.7a Feb 19 2003
checking for SSL/TLS toolkit includes... /usr/include
checking for SSL/TLS toolkit libraries... /usr/lib
adding "-I/usr/include/openssl" to INCLUDES
setting LIBS to "-lssl -lcrypto"
checking for SSL_set_state... no
checking for SSL_set_cert_store... no
checking whether to enable mod_ssl... shared (most)
[...]
config.status: executing default commands
[root@merc httpd-2.0.48]# make
Making all in srclib
make[1]: Entering directory `/root/apache_source/httpd-2.0.48/srclib'
Making all in apr
[...]
make[2]: Leaving directory `/root/apache_source/httpd-2.0.48/support'
make[1]: Leaving directory `/root/apache_source/httpd-2.0.48'
[root@merc httpd-2.0.48]# make install
make install[root@merc httpd-2.0.48]# make install
Making install in srclib
make[1]: Entering directory `/root/apache_source/httpd-2.0.48/srclib'
Making install in apr
make[2]: Entering directory `/root/apache_source/httpd-2.0.48/srclib/apr'
Making all in strings
Installing build system files
make[1]: Leaving directory `/root/apache_source/httpd-2.0.48'
[...]
[root@merc httpd-2.0.48]#
 This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.
|
Next: Generate Certificates >>
More Apache Articles
More By Apress Publishing
/ 29 
