A.3 Installing Apache to Use SSL

A.3 Installing Apache to Use SSL

This section describes how to install a secure version of the Apache web server. There are three major differences encountered when installing Apache to use SSL versus installing Apache normally:

Secure Sockets Layer software is required.

There are several sources of Secure Sockets Layer software. The OpenSSL is probably the most-commonly used with Apache

SSL patches must be applied to the Apache code before it is configured and compiled.

Unlike installing other Apache modules, SSL installation requires that the core Apache source code be modified or patched. Normal Apache modules such as the PHP module interact with Apache using a defined application programming interface or API. The Apache API provides functions that hide the details of dealing with HTTP from Apache module developers.

However, the code that implements SSL needs to encrypt and decrypt HTTP requests and responses. The Apache API is aimed at the wrong level, and SSL patches need to be applied to Apache. There are several open source and commercial SSL extensions and patches to Apache available. ApacheSSL (http://www.apache-ssl.org ) and mod_ssl (http://www.modssl.org) are both open source and easy to install. We describe the installation of ApacheSSL in this section.

A site certificate needs to be obtained and configured.

A self-signed certificate can be created, but it needs to replaced with a purchased certificate from a Certification Authority when an application goes live. There are dozens of organizations that can provide authoritative certificates, including companies such as Verisign and Thawte.

A.3.1 Installing OpenSSL

1. Get the latest version of the OpenSSL from http://www.openssl.org/source/. Download the Unix tar-ed and gzip-ed file under the heading "Tarball." For example, download the file openssl-0.9.6a.tar.gz.

2. Put the distribution file in a directory that can be used to build the OpenSSL libraries. In our installation instructions, we use /usr/local/. The default installation process installs OpenSSL in /usr/local/ssl. To use /usr/local/, log in as the root user of the Linux installation; in any case, root access is required in Step 5 to install in the default location.

3. Uncompress and un-tar the distribution file in the new installation directory using gzip and tar. If the version downloaded was 0.9.6a, the commands are:

   % gzip -d openssl-0.9.6a.tar.gz % tar xvf openssl-0.9.6a.tar

   The distribution files are listed as they are extracted from the tar file.

4. Change the directory to the openssl source directory, run the config script, and then make the installation. Assuming the version downloaded is 0.9.6a, the commands are:

   % cd openssl-0.9.6a % ./config % make % make test

   To install OpenSSL in a directory other than /usr/local/ssl, run config with the openssldir=<directory-path> directive.

5. Build the install binaries of SSL. To do this, log in as the root user, and then run the make install script:

   % make install

   This creates an installation of SSL in the directory /usr/local/ssl.

A.3.2 Installing Apache and ApacheSSL

Both Apache and ApacheSSL need to be installed together, and the ApacheSSL version must match the Apache version. ApacheSSL may not always be available for the latest version of Apache, so it is worth checking out the latest ApacheSSL version first. The current version of ApacheSSL is applied to Apache 1.3.19.

1. Get the latest version of ApacheSSL by selecting a download site from http://www.apache-ssl.org/ Download the tar-ed and gzip-ed distribution file. For example, apache_1.3.19+ssl_1.44.tar.gz.

2. Get the matching version of the Apache web server source code that also ends with .tar.gz from http://www.apache.org/dist/httpd/. For example, if the ApacheSSL version downloaded in Step 1 was apache_1.3.19+ssl_1.44.tar.gz, retrieve apache_1.3.19.tar.gz.

3. Put the Apache distribution file in the base directory where the installation is to be performed. For these instructions, use /usr/local/ as in the Apache installation instructions earlier in this appendix.

4. Unpack the Apache package first by running gzip -d <filename> and tar xvf <filename>. With Apache Version 1.3.19:

   % cd /usr/local % gzip -d apache_1.3.19.tar.gz % tar xvf apache_1.3.19.tar

   This creates an apache_1.3.19 source directory. Record the directory name that was created to use in the next steps. It's assumed from here on that the version is 1.3.19, and the directory is apache_1.3.19.

5. Copy the ApacheSSL distribution into the directory created in Step 4 that already contains the Apache source:

   % cp apache_1.3.19+ssl_1.44.tar.gz /usr/local/apache_1.3.19

6. Unpack the ApacheSSL distribution:

   % cd /usr/local/apache_1.3.19 % gzip -d apache_1.3.19+ssl_1.44.tar.gz % tar xvf apache_1.3.19+ssl_1.44.tar

7. Apply the patches using the FixPatch script that comes with ApacheSSL. This script copies the appropriate files from the OpenSSL installation:

   % ./FixPatch /usr/local/ssl

8. Type yes when prompted:

   Do you want me to apply the fixed-up Apache-SSL patch for you? [n] yes

9. You've now applied the patches to Apache and can continue with the normal installation by following Steps 6 to 10 in the Apache installation instructions earlier in this appendix.

A.3.3 Creating a Key and Certificate

For ApacheSSL to operate, it needs to be configured with a private key and a certificate. ApacheSSL comes with a script that runs the openssl utility to create a key and a self-signed certificate. This is the easiest way to get started. Once the key and certificate have been created, they need to be configured into Apache. Again, the version of Apache and the patch applied are assumed to be Version 1.3.19; if a different version is used, the following steps need to be changed to include the correct directories based on the version number.

1. Create the key and signed certificate.

   % cd /usr/local/apache_1.3.19/src % make certificate

2. The make certificate script asks for several fields including country, state, organization name, and the machine hostname encoded into the certificate. The script produces a file that contains both the private key and the signed certificate:

   /usr/local/apache_1.3.19/SSLconf/conf/httpsd.pem

3. After logging in as the root user, copy the key and certificate file into the Apache installation:

   % cd /usr/local/apache_1.3.19/SSLconf/conf % cp httpsd.pem /usr/local/apache/conf/default.pem

4. Modify the httpsd.conf file with a text editor so that PHP files are processed by the PHP scripting engine. The configuration file is found in the directory /usr/local/apache/conf/. Remove the initial # character from the following line:

   AddType application/x-httpd-php .php

5. Modify the httpsd.conf file by changing the Port from 80 to the secure web server port 443:

   Port 443

6. Add the following lines to the end of the httpsd.conf file:

   # # SSL Parameters # SSLCACertificateFile /usr/local/apache/conf/default.pem SSLCertificateFile /usr/local/apache/conf/default.pem SSLCacheServerPath /usr/local/apache/bin/gcache SSLCacheServerPort 18698 SSLSessionCacheTimeout 3600

7. Start Apache. Unlike a normal Apache installation, ApacheSSL creates an httpsdctl script:

   % /usr/local/apache/bin/httpsdctl start

   In some cases, this doesn't correctly start Apache. If this happens, use the following alternative commands to explicitly specify the configuration file to use with the secure Apache:

   % cd /usr/local/apache/ % bin/httpsd -f conf/httpsd.conf

8. A secure Apache is now running and serving requests on port 443 the default HTTPS port with SSL. This can be tested by requesting the resource https://localhost/ with a web browser. The installation process is now complete.

When a resource such as https://localhost/ is requested with a browser, the browser alerts the user to an unknown certificate. To obtain a certificate that will be trusted by users, the openssl utility needs to be run to create a private key and a certificate request. The certificate request is then sent to a Certification Authority to be signed using their authoritative certificates. There is a fee for this service. While the Apache configuration allows both the key and the certificate to be placed in the one file, the private key should not be sent to anyone, not even the Certification Authority.

If a trusted certificate is required, consult the OpenSSL documentation that describes how to create keys and Certificate Signing Requests. This documentation can be found at http://www.openssl.org/docs/apps/openssl.html.