Apache HTTP Server
From KevinWiki
(→Generate A Key for the CSR) |
|||
(6 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
- | [[Category:Network]] | + | [[Category:Network]][[Category:Server]] |
==Apache HTTP Server== | ==Apache HTTP Server== | ||
Line 94: | Line 94: | ||
CustomLog /var/log/apache2/access.log combined | CustomLog /var/log/apache2/access.log combined | ||
- | ServerSignature | + | '''ServerSignature Off''' |
Alias /doc/ "/usr/share/doc/" | Alias /doc/ "/usr/share/doc/" | ||
Line 106: | Line 106: | ||
</VirtualHost> | </VirtualHost> | ||
+ | '''ServerTokens Prod''' | ||
<div style="font-weight: bolder;"> | <div style="font-weight: bolder;"> | ||
Line 161: | Line 162: | ||
CustomLog /var/log/apache2/access.log combined | CustomLog /var/log/apache2/access.log combined | ||
- | ServerSignature | + | '''ServerSignature Off''' |
Alias /doc/ "/usr/share/doc/" | Alias /doc/ "/usr/share/doc/" | ||
Line 207: | Line 208: | ||
CustomLog /var/log/apache2/access.log combined | CustomLog /var/log/apache2/access.log combined | ||
- | ServerSignature | + | '''ServerSignature Off''' |
Alias /doc/ "/usr/share/doc/" | Alias /doc/ "/usr/share/doc/" | ||
Line 235: | Line 236: | ||
ServerName blog.yoursite.com | ServerName blog.yoursite.com | ||
</VirtualHost> | </VirtualHost> | ||
+ | '''ServerTokens Prod''' | ||
-<code>NameVirtualHost *:443</code> is not necessary if there is only one virtual host using 443 port. | -<code>NameVirtualHost *:443</code> is not necessary if there is only one virtual host using 443 port. | ||
Line 242: | Line 244: | ||
<VirtualHost *:80> | <VirtualHost *:80> | ||
ServerAdmin webmaster@localhost | ServerAdmin webmaster@localhost | ||
- | |||
- | |||
+ | ServerName your-domain.com | ||
+ | DocumentRoot /var/www/ | ||
<Directory /> | <Directory /> | ||
Options FollowSymLinks | Options FollowSymLinks | ||
Line 272: | Line 274: | ||
CustomLog /var/log/apache2/access.log combined | CustomLog /var/log/apache2/access.log combined | ||
+ | '''ServerSignature Off''' | ||
Alias /doc/ "/usr/share/doc/" | Alias /doc/ "/usr/share/doc/" | ||
Line 283: | Line 286: | ||
</VirtualHost> | </VirtualHost> | ||
+ | '''ServerTokens Prod''' | ||
- | + | -Copy <code>default-ssl</code> to <code>mysite-ssl</code> and add the key file info. | |
- | - | + | <IfModule mod_ssl.c> |
<VirtualHost *:443> | <VirtualHost *:443> | ||
- | + | ServerAdmin webmaster@localhost | |
- | + | ||
- | + | ServerName your-domain.com | |
+ | DocumentRoot /var/www/ | ||
+ | <Directory /> | ||
+ | Options FollowSymLinks | ||
+ | AllowOverride None | ||
+ | </Directory> | ||
+ | <Directory /var/www/> | ||
+ | # Options Indexes FollowSymLinks MultiViews | ||
+ | Options FollowSymLinks MultiViews | ||
+ | AllowOverride None | ||
+ | Order allow,deny | ||
+ | allow from all | ||
+ | </Directory> | ||
- | + | ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ | |
+ | <Directory "/usr/lib/cgi-bin"> | ||
+ | AllowOverride None | ||
+ | Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | </Directory> | ||
- | + | ErrorLog /var/log/apache2/error.log | |
- | + | # Possible values include: debug, info, notice, warn, error, crit, | |
- | + | # alert, emerg. | |
+ | LogLevel warn | ||
- | + | CustomLog /var/log/apache2/ssl_access.log combined | |
- | + | '''ServerSignature Off''' | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | Alias /doc/ "/usr/share/doc/" | |
- | + | <Directory "/usr/share/doc/"> | |
- | + | Options Indexes MultiViews FollowSymLinks | |
- | + | AllowOverride None | |
- | + | Order deny,allow | |
- | + | Deny from all | |
- | + | Allow from 127.0.0.0/255.0.0.0 ::1/128 | |
+ | </Directory> | ||
- | + | # SSL Engine Switch: | |
+ | # Enable/Disable SSL for this virtual host. | ||
+ | SSLEngine on | ||
- | + | # A self-signed (snakeoil) certificate can be created by installing | |
- | + | # the ssl-cert package. See | |
- | + | # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. | |
+ | # If both key and certificate are stored in the same file, only the | ||
+ | # SSLCertificateFile directive is needed. | ||
+ | # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
+ | # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | ||
+ | '''SSLCertificateFile /etc/ssl/certs/server.crt''' | ||
+ | '''SSLCertificateKeyFile /etc/ssl/private/server.key''' | ||
- | + | # Server Certificate Chain: | |
+ | # Point SSLCertificateChainFile at a file containing the | ||
+ | # concatenation of PEM encoded CA certificates which form the | ||
+ | # certificate chain for the server certificate. Alternatively | ||
+ | # the referenced file can be the same as SSLCertificateFile | ||
+ | # when the CA certificates are directly appended to the server | ||
+ | # certificate for convinience. | ||
+ | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt | ||
- | + | # Certificate Authority (CA): | |
- | + | # Set the CA certificate verification path where to find CA | |
- | + | # certificates for client authentication or alternatively one | |
- | + | # huge file containing all of them (file must be PEM encoded) | |
- | + | # Note: Inside SSLCACertificatePath you need hash symlinks | |
- | + | # to point to the certificate files. Use the provided | |
- | + | # Makefile to update the hash symlinks after changes. | |
- | + | #SSLCACertificatePath /etc/ssl/certs/ | |
+ | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt | ||
+ | |||
+ | # Certificate Revocation Lists (CRL): | ||
+ | # Set the CA revocation path where to find CA CRLs for client | ||
+ | # authentication or alternatively one huge file containing all | ||
+ | # of them (file must be PEM encoded) | ||
+ | # Note: Inside SSLCARevocationPath you need hash symlinks | ||
+ | # to point to the certificate files. Use the provided | ||
+ | # Makefile to update the hash symlinks after changes. | ||
+ | #SSLCARevocationPath /etc/apache2/ssl.crl/ | ||
+ | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl | ||
+ | |||
+ | # Client Authentication (Type): | ||
+ | # Client certificate verification type and depth. Types are | ||
+ | # none, optional, require and optional_no_ca. Depth is a | ||
+ | # number which specifies how deeply to verify the certificate | ||
+ | # issuer chain before deciding the certificate is not valid. | ||
+ | #SSLVerifyClient require | ||
+ | #SSLVerifyDepth 10 | ||
+ | |||
+ | # Access Control: | ||
+ | # With SSLRequire you can do per-directory access control based | ||
+ | # on arbitrary complex boolean expressions containing server | ||
+ | # variable checks and other lookup directives. The syntax is a | ||
+ | # mixture between C and Perl. See the mod_ssl documentation | ||
+ | # for more details. | ||
+ | #<Location /> | ||
+ | #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ | ||
+ | # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ | ||
+ | # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ | ||
+ | # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ | ||
+ | # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ | ||
+ | # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ | ||
+ | #</Location> | ||
+ | |||
+ | # SSL Engine Options: | ||
+ | # Set various options for the SSL engine. | ||
+ | # o FakeBasicAuth: | ||
+ | # Translate the client X.509 into a Basic Authorisation. This means that | ||
+ | # the standard Auth/DBMAuth methods can be used for access control. The | ||
+ | # user name is the `one line' version of the client's X.509 certificate. | ||
+ | # Note that no password is obtained from the user. Every entry in the user | ||
+ | # file needs this password: `xxj31ZMTZzkVA'. | ||
+ | # o ExportCertData: | ||
+ | # This exports two additional environment variables: SSL_CLIENT_CERT and | ||
+ | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | ||
+ | # server (always existing) and the client (only existing when client | ||
+ | # authentication is used). This can be used to import the certificates | ||
+ | # into CGI scripts. | ||
+ | # o StdEnvVars: | ||
+ | # This exports the standard SSL/TLS related `SSL_*' environment variables. | ||
+ | # Per default this exportation is switched off for performance reasons, | ||
+ | # because the extraction step is an expensive operation and is usually | ||
+ | # useless for serving static content. So one usually enables the | ||
+ | # exportation for CGI and SSI requests only. | ||
+ | # o StrictRequire: | ||
+ | # This denies access when "SSLRequireSSL" or "SSLRequire" applied even | ||
+ | # under a "Satisfy any" situation, i.e. when it applies access is denied | ||
+ | # and no other module can change it. | ||
+ | # o OptRenegotiate: | ||
+ | # This enables optimized SSL connection renegotiation handling when SSL | ||
+ | # directives are used in per-directory context. | ||
+ | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | ||
+ | <FilesMatch "\.(cgi|shtml|phtml|php)$"> | ||
+ | SSLOptions +StdEnvVars | ||
+ | </FilesMatch> | ||
+ | <Directory /usr/lib/cgi-bin> | ||
+ | SSLOptions +StdEnvVars | ||
+ | </Directory> | ||
+ | |||
+ | # SSL Protocol Adjustments: | ||
+ | # The safe and default but still SSL/TLS standard compliant shutdown | ||
+ | # approach is that mod_ssl sends the close notify alert but doesn't wait for | ||
+ | # the close notify alert from client. When you need a different shutdown | ||
+ | # approach you can use one of the following variables: | ||
+ | # o ssl-unclean-shutdown: | ||
+ | # This forces an unclean shutdown when the connection is closed, i.e. no | ||
+ | # SSL close notify alert is send or allowed to received. This violates | ||
+ | # the SSL/TLS standard but is needed for some brain-dead browsers. Use | ||
+ | # this when you receive I/O errors because of the standard approach where | ||
+ | # mod_ssl sends the close notify alert. | ||
+ | # o ssl-accurate-shutdown: | ||
+ | # This forces an accurate shutdown when the connection is closed, i.e. a | ||
+ | # SSL close notify alert is send and mod_ssl waits for the close notify | ||
+ | # alert of the client. This is 100% SSL/TLS standard compliant, but in | ||
+ | # practice often causes hanging connections with brain-dead browsers. Use | ||
+ | # this only for browsers where you know that their SSL implementation | ||
+ | # works correctly. | ||
+ | # Notice: Most problems of broken clients are also related to the HTTP | ||
+ | # keep-alive facility, so you usually additionally want to disable | ||
+ | # keep-alive for those clients, too. Use variable "nokeepalive" for this. | ||
+ | # Similarly, one has to force some clients to use HTTP/1.0 to workaround | ||
+ | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | ||
+ | # "force-response-1.0" for this. | ||
+ | BrowserMatch ".*MSIE.*" \ | ||
+ | nokeepalive ssl-unclean-shutdown \ | ||
+ | downgrade-1.0 force-response-1.0 | ||
</VirtualHost> | </VirtualHost> | ||
+ | |||
+ | </IfModule> | ||
+ | |||
+ | |||
+ | |||
+ | *Although Apache does not support SSL name based virtual hosts, it might be required that more than one sub-domain has to be accessed through SSL only. There is a simple workaround that is added <code>NameVirtualHost *:443</code> to the <code>ports.conf</code> file. So it may look like | ||
+ | |||
+ | # If you just change the port or add more ports here, you will likely also | ||
+ | # have to change the VirtualHost statement in | ||
+ | # /etc/apache2/sites-enabled/000-default | ||
+ | |||
+ | NameVirtualHost *:80 | ||
+ | Listen 80 | ||
+ | |||
+ | <IfModule mod_ssl.c> | ||
+ | # SSL name based virtual hosts are not yet supported, therefore no | ||
+ | # NameVirtualHost statement here | ||
+ | '''NameVirtualHost *:443''' | ||
+ | Listen 443 | ||
+ | </IfModule> | ||
Line 382: | Line 529: | ||
-To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt: | -To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt: | ||
- | $ openssl genrsa -des3 -out server.key | + | $ openssl genrsa -des3 -out server.key 2048 |
- | Generating RSA private key, | + | Generating RSA private key, 2048 bit long modulus |
.......................++++++ | .......................++++++ | ||
.++++++ | .++++++ | ||
Line 391: | Line 538: | ||
Verifying - Enter pass phrase for server.key:'''your confirm passphrase''' | Verifying - Enter pass phrase for server.key:'''your confirm passphrase''' | ||
+ | * '''**Or use the following command to generate both key and csr files.**''' | ||
+ | <pre> | ||
+ | $ openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr | ||
+ | </pre> | ||
-To See the details of the RSA private key. | -To See the details of the RSA private key. | ||
<pre> | <pre> | ||
- | $ openssl rsa -noout -text -in server.key | + | $ openssl rsa -noout -text -in server.key |
</pre> | </pre> | ||
- | |||
====Remove Passphrase from Key File==== | ====Remove Passphrase from Key File==== | ||
Line 402: | Line 552: | ||
-Make backup file first | -Make backup file first | ||
<pre> | <pre> | ||
- | $ cp server.key server.key.original | + | $ cp server.key server.key.original |
</pre> | </pre> | ||
-Remove the encryption from the RSA private key. | -Remove the encryption from the RSA private key. | ||
<pre> | <pre> | ||
- | $ openssl rsa -in server.key.original -out server.key | + | $ openssl rsa -in server.key.original -out server.key |
</pre> | </pre> | ||
-Make sure the server.key file is only readable by root: | -Make sure the server.key file is only readable by root: | ||
<pre> | <pre> | ||
- | $ chmod 400 server.key | + | $ chmod 400 server.key |
</pre> | </pre> | ||
Line 430: | Line 580: | ||
State or Province Name (full name) [Some-State]:'''State''' | State or Province Name (full name) [Some-State]:'''State''' | ||
Locality Name (eg, city) []:'''City''' | Locality Name (eg, city) []:'''City''' | ||
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Company''' | + | Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Company or Organisation Name''' |
Organizational Unit Name (eg, section) []:'''Section''' | Organizational Unit Name (eg, section) []:'''Section''' | ||
- | Common Name (eg, YOUR name) []:''' | + | Common Name (eg, YOUR name) []:'''your-domain.com''' |
Email Address []:'''email@address''' | Email Address []:'''email@address''' | ||
Line 442: | Line 592: | ||
-To see the details of this CSR | -To see the details of this CSR | ||
<pre> | <pre> | ||
- | $ openssl req -noout -text -in server.csr | + | $ openssl req -noout -text -in server.csr |
</pre> | </pre> | ||
Line 457: | Line 607: | ||
-To see the details of this certificate | -To see the details of this certificate | ||
<pre> | <pre> | ||
- | $ openssl x509 -noout -text -in server.crt | + | $ openssl x509 -noout -text -in server.crt |
</pre> | </pre> | ||
Latest revision as of 10:24, 29 July 2013
Contents |
Apache HTTP Server
Modules
UserDir
UserDir module allows users on the server have a web site in their home directory.
Configuration
-Check if the module is available in the directory /etc/apache2/mods-available/
-Open the conf file, /etc/apache2/mods-available/userdir.conf
.
$ gksudo gedit /etc/apache2/mods-available/userdir.conf &
<IfModule mod_userdir.c> UserDir public_html UserDir disabled root UserDir disabled UserDir enabled username <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Options MultiViews SymLinksIfOwnerMatch IncludesNoExec </Directory> </IfModule>
-To prevent the files and directories from being listed when there are no index files such as index.html, index.htm and so on, remove Indexes from the following line
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
So it would be like this
Options MultiViews SymLinksIfOwnerMatch IncludesNoExec
It is already commented out from the above example.
-Enable the module.
$ cd cd /etc/apache2/mods-enabled/ $ sudo ln -s ../mods-available/userdir.load userdir.load $ sudo ln -s ../mods-available/userdir.conf userdir.conf
-Restart the Apache server
$ sudo /etc/init.d/apache2 restart
References
http://httpd.apache.org/docs/2.0/en/mod/mod_userdir.html
Virtual Hosts
-make a copy of the default virtual host configuration to have your own.
$ sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mysite
-e.g. Ubuntu Linux 8.04 Hardy
NameVirtualHost * <VirtualHost *> ServerAdmin kevin@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> # Options Indexes FollowSymLinks MultiViews Options FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> ServerTokens Prod
<VirtualHost *> ServerAdmin kevin@localhost DocumentRoot /home/kevin/public_html ServerName kevin.kevin-home ErrorLog /home/kevin/logs/error_log TransferLog /home/kevin/logs/access_log </VirtualHost>
-Many virtual hosts with http & https,
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin kevin@yoursite.com SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key DocumentRoot /var/www/ ServerName yoursite.com <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> # Options Indexes FollowSymLinks MultiViews Options FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin kevin@yoursite.com DocumentRoot /var/www/ ServerName yoursite.com <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> # Options Indexes FollowSymLinks MultiViews Options FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> #<VirtualHost *:80> # ServerAdmin kevin@yoursite.com # # DocumentRoot /home/kevin/public_html # ServerName kevin.yoursite.com # ErrorLog /home/kevin/logs/error_log # TransferLog /home/kevin/logs/access_log #</VirtualHost> <VirtualHost *:80> ServerAdmin kevin@yoursite.com DocumentRoot /var/www/blog ServerName blog.yoursite.com </VirtualHost> ServerTokens Prod
-NameVirtualHost *:443
is not necessary if there is only one virtual host using 443 port.
-Ubuntu Linux 8.10 Intrepid
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName your-domain.com DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> # Options Indexes FollowSymLinks MultiViews Options FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> ServerTokens Prod
-Copy default-ssl
to mysite-ssl
and add the key file info.
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName your-domain.com DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> # Options Indexes FollowSymLinks MultiViews Options FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule>
- Although Apache does not support SSL name based virtual hosts, it might be required that more than one sub-domain has to be accessed through SSL only. There is a simple workaround that is added
NameVirtualHost *:443
to theports.conf
file. So it may look like
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here NameVirtualHost *:443 Listen 443 </IfModule>
Enable .htaccess
-Change AllowOverride None
e.g) <Directory /> Options FollowSymLinks AllowOverride None </Directory>
to
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
-make changes as you wish then disable the default one and enable yours.
$ sudo a2dissite default && sudo a2ensite mysite
-To check the virtual host setting
$ apache2 -S
-If it displays an error message like this
apache2: bad user name ${APACHE_RUN_USER}
-Try this
$ apache2ctl -S
Using SSL
Generating a Certificate Signing Request (CSR)
Generate A Key for the CSR
-To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:
$ openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus .......................++++++ .++++++ e is 65537 (0x10001) Enter pass phrase for server.key:your passphrase Verifying - Enter pass phrase for server.key:your confirm passphrase
- **Or use the following command to generate both key and csr files.**
$ openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr
-To See the details of the RSA private key.
$ openssl rsa -noout -text -in server.key
Remove Passphrase from Key File
If there is a problem with starting apache when the computer is booted, remove passphrase from the key file can be used to solve it. -Make backup file first
$ cp server.key server.key.original
-Remove the encryption from the RSA private key.
$ openssl rsa -in server.key.original -out server.key
-Make sure the server.key file is only readable by root:
$ chmod 400 server.key
Create the CSR
-To create the CSR, run the following command at a terminal prompt:
$ openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:your passphrase You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:Country State or Province Name (full name) [Some-State]:State Locality Name (eg, city) []:City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company or Organisation Name Organizational Unit Name (eg, section) []:Section Common Name (eg, YOUR name) []:your-domain.com Email Address []:email@address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(e.g. a74mf94ns62kjdf8e) An optional company name []:
-To see the details of this CSR
$ openssl req -noout -text -in server.csr
Creating a Self-Signed Certificate
-To create the self-signed certificate, run the following command at a terminal prompt:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=**/ST=***/L=******/O=**********/OU=******/CN=*********/emailAddress=*********** Getting Private key Enter pass phrase for server.key:your passphrase
-To see the details of this certificate
$ openssl x509 -noout -text -in server.crt
Installing the Certificate
$ sudo cp server.crt /etc/ssl/certs/ $ sudo cp server.key /etc/ssl/private/
Enable Module SSL
$ sudo a2enmod ssl Module ssl installed; run /etc/init.d/apache2 force-reload to enable.
$ sudo /etc/init.d/apache2 force-reload * Reloading web server config apache2 [ OK ]
Edit Site Enabled
-Add the following in the VirtualHost section under the DocumentRoot
SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
So it should look like:
<VirtualHost *> ServerAdmin blade2@localhost SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key ...blah blah </VirtualHost>
-Restart the Apache server
$ sudo /etc/init.d/apache2 restart * Restarting web server apache2Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server blade2-home:443 (RSA) Enter pass phrase: type your passphrase OK: Pass Phrase Dialog successful.
Reference
https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
http://www.apache-ssl.org/httpd.conf.example