Home arrow Apache arrow Page 9 - Secure Installation and Configuration

Apache and SSL - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:
  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Don’t Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

At the beginning of this chapter I introduced cryptography as a means of checking that the Apache package I downloaded was correct (digital signatures).

SSL (Secure Sockets Layer) is a protocol used by a web browser (and therefore Apache) to establish an encrypted connection. It is common to see SSL on sites that accept confidential information from their client (for example, credit card numbers or personal details). In this section, I will explain how to compile Apache with mod_ssl, generate the relevant certificate, and have it signed.

To understand SSL in general, you can (and should) read the documentation for mod_ssl at http://www.modssl.org/docs/2.8/. The second chapter, http://www.modssl.org/docs/2.8/ssl_intro.html, is an excellent article based on Frederick Hirsch’s paper “Introducing SSL and Certificates using SSLeay.” Remember that this documentation is valid for mod_ssl as a stand-alone third-party module, and therefore it may not be perfectly applicable to the mod_ssl bundled with Apache 2. x.

Installation for Apache 1.3.x

You will first need to download mod_ssl from http://www.modssl.org/, making sure that you select the right package for your version of Apache (in my case, mod_ssl-2.8.14-1.3.29.tar.gz for Apache 1.3.29).

You should then read the INSTALL file, which comes with the package and details all the installation options. I would recommend following the instructions marked as “The flexible APACI-only way,” which show you how to install any third-party modules in Apache (as well as SSL).

Here is the transcript of my installation, which should have exactly the same result as the one I showed at the beginning of the chapter (in this case, OpenSSL was already installed on the target system):

[root@merc apache_source]# tar xvzf apache_1.3.29.tar.gz
apache_1.3.29/
apache_1.3.29/cgi-bin/
apache_1.3.29/cgi-bin/printenv
[...]
apache_1.3.29/src/support/suexec.c
apache_1.3.29/src/support/suexec.h
apache_1.3.29/src/Configuration
[root@merc apache_source]#
[root@merc apache_source]# tar xvzf mod_ssl-2.8.14-1.3.29.tar.gz
mod_ssl-2.8.14-1.3.29/ANNOUNCE
mod_ssl-2.8.14-1.3.29/CHANGES
mod_ssl-2.8.14-1.3.29/CREDITS
mod_ssl-2.8.14-1.3.29/INSTALL
[...]
mod_ssl-2.8.14-1.3.29/pkg.sslsup/mkcert.sh
mod_ssl-2.8.14-1.3.29/pkg.sslsup/sslsup.patch
[root@merc apache_source]#
[root@merc apache_source]# cd mod_ssl-2.8.14-1.3.29/
[root@merc mod_ssl-2.8.14-1.3.29]# ./configure --with-apache=../apache_1.3.29
Configuring mod_ssl/2.8.14 for Apache/1.3.29
+ Apache location: ../apache_1.3.29 (Version 1.3.29)
[...]
[root@merc mod_ssl-2.8.14-1.3.29]#
cd ..
[root@merc apache_source]#
cd apache_1.3.29
[root@merc apache_1.3.29]#
SSL_BASE=/usr ./configure --enable-module=ssl
--prefix=/usr/local/apache1 --enable-module=most --enable-shared=max

[...]
Creating Makefile in src/modules/extra
Creating Makefile in src/modules/proxy
Creating Makefile in src/modules/ssl
[root@merc apache_1.3.29]#
make
===> src
make[1]: Entering directory `/root/apache_source/apache_1.3.29'
make[2]: Entering directory `/root/apache_source/apache_1.3.29/src'
===> src/regex
[...]
+--------------------------------------------------------+
make[1]: Leaving directory `/root/apache_source/apache_1.3.29'
<=== src
[root@merc apache_1.3.29]# make install
make[1]: Entering directory `/root/apache_source/apache_1.3.29'
===> [mktree: Creating Apache installation tree]
./src/helpers/mkdir.sh /usr/local/apache1/bin
mkdir /usr/local/apache1
mkdir /usr/local/apache1/bin
./src/helpers/mkdir.sh /usr/local/apache1/bin
./src/helpers/mkdir.sh /usr/local/apache1/libexec
[...]
| Thanks for using Apache. The Apache Group |
|                  
http://www.apache.org/ |
+--------------------------------------------------------+
[root@merc apache_1.3.29]#

Your Apache installation should now be ready to go.

Installation for Apache 2.x

mod_ssl is included in Apache 2. x; this makes its installation very simple. All you have to do is add two options to the ./configure script: --enable-ssl (to enable SSL) and -with-ssl=/openssl_directory (to specify OpenSSL’s base directory).

Here is the installation transcript:

[root@merc httpd-2.0.48]# ./configure --prefix=/usr/local
/apache2 --enable-modsshared=most --enable-ssl --with
-ssl=/usr
checking for chosen layout... Apache
checking for working mkdir -p... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu

Configuring Apache Portable Runtime library ...

checking for APR... reconfig
[...]
checking for SSL/TLS toolkit base... /usr
checking for SSL/TLS toolkit version... OpenSSL 0.9.7a Feb 19 2003
checking for SSL/TLS toolkit includes... /usr/include
checking for SSL/TLS toolkit libraries... /usr/lib
  adding "-I/usr/include/openssl" to INCLUDES
  setting LIBS to "-lssl -lcrypto"
checking for SSL_set_state... no
checking for SSL_set_cert_store... no
checking whether to enable mod_ssl... shared (most)
[...]
config.status: executing default commands
[root@merc httpd-2.0.48]# make
Making all in srclib
make[1]: Entering directory `/root/apache_source/httpd-2.0.48/srclib'
Making all in apr
[...]
make[2]: Leaving directory `/root/apache_source/httpd-2.0.48/support'
make[1]: Leaving directory `/root/apache_source/httpd-2.0.48'
[root@merc httpd-2.0.48]# make install
make install[root@merc httpd-2.0.48]# make install
Making install in srclib
make[1]: Entering directory `/root/apache_source/httpd-2.0.48/srclib'
Making install in apr
make[2]: Entering directory `/root/apache_source/httpd-2.0.48/srclib/apr'
Making all in strings
Installing build system files
make[1]: Leaving directory `/root/apache_source/httpd-2.0.48'
[...]
[root@merc httpd-2.0.48]#

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Apache Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: