HomeApache Page 9 - Secure Installation and Configuration
Apache and SSL - Apache
This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
At the beginning of this chapter I introduced cryptography as a means of checking that the Apache package I downloaded was correct (digital signatures).
SSL (Secure Sockets Layer) is a protocol used by a web browser (and therefore Apache) to establish an encrypted connection. It is common to see SSL on sites that accept confidential information from their client (for example, credit card numbers or personal details). In this section, I will explain how to compile Apache with mod_ssl, generate the relevant certificate, and have it signed.
To understand SSL in general, you can (and should) read the documentation for mod_ssl at http://www.modssl.org/docs/2.8/. The second chapter, http://www.modssl.org/docs/2.8/ssl_intro.html, is an excellent article based on Frederick Hirsch’s paper “Introducing SSL and Certificates using SSLeay.” Remember that this documentation is valid for mod_ssl as a stand-alone third-party module, and therefore it may not be perfectly applicable to the mod_ssl bundled with Apache 2. x.
Installation for Apache 1.3.x
You will first need to download mod_ssl from http://www.modssl.org/, making sure that you select the right package for your version of Apache (in my case, mod_ssl-2.8.14-1.3.29.tar.gz for Apache 1.3.29).
You should then read the INSTALL file, which comes with the package and details all the installation options. I would recommend following the instructions marked as “The flexible APACI-only way,” which show you how to install any third-party modules in Apache (as well as SSL).
Here is the transcript of my installation, which should have exactly the same result as the one I showed at the beginning of the chapter (in this case, OpenSSL was already installed on the target system):
[root@merc apache_source]# tar xvzf apache_1.3.29.tar.gz apache_1.3.29/ apache_1.3.29/cgi-bin/ apache_1.3.29/cgi-bin/printenv [...] apache_1.3.29/src/support/suexec.c apache_1.3.29/src/support/suexec.h apache_1.3.29/src/Configuration [root@merc apache_source]# [root@merc apache_source]# tar xvzf mod_ssl-2.8.14-1.3.29.tar.gz mod_ssl-2.8.14-1.3.29/ANNOUNCE mod_ssl-2.8.14-1.3.29/CHANGES mod_ssl-2.8.14-1.3.29/CREDITS mod_ssl-2.8.14-1.3.29/INSTALL [...] mod_ssl-2.8.14-1.3.29/pkg.sslsup/mkcert.sh mod_ssl-2.8.14-1.3.29/pkg.sslsup/sslsup.patch [root@merc apache_source]# [root@merc apache_source]# cd mod_ssl-2.8.14-1.3.29/ [root@merc mod_ssl-2.8.14-1.3.29]# ./configure --with-apache=../apache_1.3.29 Configuring mod_ssl/2.8.14 for Apache/1.3.29 + Apache location: ../apache_1.3.29 (Version 1.3.29) [...] [root@merc mod_ssl-2.8.14-1.3.29]# cd .. [root@merc apache_source]# cd apache_1.3.29 [root@merc apache_1.3.29]# SSL_BASE=/usr ./configure --enable-module=ssl --prefix=/usr/local/apache1 --enable-module=most --enable-shared=max [...] Creating Makefile in src/modules/extra Creating Makefile in src/modules/proxy Creating Makefile in src/modules/ssl [root@merc apache_1.3.29]# make ===> src make: Entering directory `/root/apache_source/apache_1.3.29' make: Entering directory `/root/apache_source/apache_1.3.29/src' ===> src/regex [...] +--------------------------------------------------------+ make: Leaving directory `/root/apache_source/apache_1.3.29' <=== src [root@merc apache_1.3.29]# make install make: Entering directory `/root/apache_source/apache_1.3.29' ===> [mktree: Creating Apache installation tree] ./src/helpers/mkdir.sh /usr/local/apache1/bin mkdir /usr/local/apache1 mkdir /usr/local/apache1/bin ./src/helpers/mkdir.sh /usr/local/apache1/bin ./src/helpers/mkdir.sh /usr/local/apache1/libexec [...] | Thanks for using Apache. The Apache Group | | http://www.apache.org/ | +--------------------------------------------------------+ [root@merc apache_1.3.29]#
Your Apache installation should now be ready to go.
Installation for Apache 2.x
mod_ssl is included in Apache 2. x; this makes its installation very simple. All you have to do is add two options to the ./configure script: --enable-ssl (to enable SSL) and -with-ssl=/openssl_directory (to specify OpenSSL’s base directory).
Here is the installation transcript:
[root@merc httpd-2.0.48]# ./configure --prefix=/usr/local /apache2 --enable-modsshared=most --enable-ssl --with -ssl=/usr checking for chosen layout... Apache checking for working mkdir -p... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu
Configuring Apache Portable Runtime library ...
checking for APR... reconfig [...] checking for SSL/TLS toolkit base... /usr checking for SSL/TLS toolkit version... OpenSSL 0.9.7a Feb 19 2003 checking for SSL/TLS toolkit includes... /usr/include checking for SSL/TLS toolkit libraries... /usr/lib adding "-I/usr/include/openssl" to INCLUDES setting LIBS to "-lssl -lcrypto" checking for SSL_set_state... no checking for SSL_set_cert_store... no checking whether to enable mod_ssl... shared (most) [...] config.status: executing default commands [root@merc httpd-2.0.48]# make Making all in srclib make: Entering directory `/root/apache_source/httpd-2.0.48/srclib' Making all in apr [...] make: Leaving directory `/root/apache_source/httpd-2.0.48/support' make: Leaving directory `/root/apache_source/httpd-2.0.48' [root@merc httpd-2.0.48]# make install make install[root@merc httpd-2.0.48]# make install Making install in srclib make: Entering directory `/root/apache_source/httpd-2.0.48/srclib' Making install in apr make: Entering directory `/root/apache_source/httpd-2.0.48/srclib/apr' Making all in strings Installing build system files make: Leaving directory `/root/apache_source/httpd-2.0.48' [...] [root@merc httpd-2.0.48]#
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.