One feature that's often used in conjunction with scripting is encryption. More precisely, the Secure Sockets Layer (SSL) is an encryption protocol that can be used to encrypt data that pass between the Web server and Web browser to protect the data from prying eyes. SSL is frequently used on e-commerce sites and others that handle sensitive data. Apache is capable of handling SSL encryption, but only with the addition of supplemental software. There are various implementations of SSL for Apache, such as the Apache-SSL project (http://www.apache-ssl.org), mod_ssl (http://www.modssl.org), and various commercial sources. Understanding SSLSSL is a form of encryption technology that's similar to that used in the Secure Shell (SSH) remote login protocol. (In fact, the popular OpenSSH package relies on the OpenSSL package, which is also used by some SSL-enabled Apache implementations.) In terms of Web transfers, SSL was designed to solve two problems:
NOTE
SSL encryption isn't normally done on the usual HTTP port (80). The default port for secure HTTP (or HTTPS ) transfers is 443. You can tell a Web browser to use this port by using https:// at the start of the URL rather than http:// . When you configure Apache to use SSL, you'll have to either run one server that binds to both ports and treats them differently, or run two servers, one for each port. The former is usually the simpler approach, but if for some reason you want to run two different types of servers (such as Apache for secure requests and thttpd for normal requests), you can do so. Configuring SSLThe first step in using SSL with Apache is to install and configure an SSL package. There are two SSL packages in common use in Linux:
OpenSSL is rapidly becoming the standard in Linux. (OpenSSL is actually derived from SSLeay, but SSLeay remains available as a separate package.) It's included in many Linux distributions, including Debian, Mandrake, Red Hat, and SuSE. SSLeay and OpenSSL are logically equivalent; they function in the same way, although different packages sometimes place configuration files in different locations, and their main binaries are named differently ( ssleay and openssl , respectively). Once OpenSSL is installed, you need to obtain a certificate for it. For a public site, you should obtain your certificate through a CA, so that your users know you are who you claim to be. For testing purposes or to run a private site, though, you can use a certificate that you generate yourself. In fact, some Apache SSL installation scripts, like the one that ships with Debian, create such a certificate automatically. If yours doesn't, you can use a command like the following to do the job: # openssl req $@ -new -x509 -nodes \ -config /usr/share/doc/apache-ssl/examples/ssleay.cnf \ -out /etc/apache-ssl/apache.pem \ -keyout /etc/apache-ssl/apache.pem NOTE
When you type this command, openssl prompts for some information, such as your location and computer name. This information will be encoded in the certificate, which will reside in the /etc/apache-ssl/ apache.pem file. If you obtain a certificate from a CA, you should replace your self-generated certificate file with whatever file your CA gives you. This should eliminate the warning message that users will see if they try to access a site that uses a self-generated certificate. Figure 20.2 shows one such warning message, as displayed by Opera in Linux; other browsers may format the information differently or present it across multiple dialog boxes. Figure 20.2. If you use a self-generated certificate, users who access your site will see a warning that the certificate has expired or is not recognized.
Enabling SSL in ApacheIn principle, Apache can be configured to use SSL through an add-on module. In practice, though, the SSL module requires a few changes to the Apache server, so some SSL-enabled Apache packages provide a rebuilt Apache server along with the SSL extensions. Other distributions release an Apache package that was built with the SSL hooks, and provide an SSL extension package that works with the standard Apache package. If you try to mix and match regular Apache and SSL-enabled Apache packages, the combination might or might not work. Many SSL packages use a separate configuration file for the SSL-enabled server than for the standard server. For instance, Debian's SSL- enabled Apache configuration files reside in /etc/apache-ssl , whereas the standard Debian Apache files are in /etc/apache . The configuration files are largely the same as those for Apache without SSL support, so you should set details like the Web site directories in the same way. Some specific options you might need to change compared to a regular installation include the following:
There are several other SSL-related directives you can set. Consult the comments in the configuration file, your SSL-enabled Apache's documentation, or a book that covers SSL Apache configuration for details. Once you've configured SSL and Apache, you can start the SSL-enabled Apache server. You should then be able to reach the server by typing https:// rather than http:// in a URL for the server. If you've generated your own certificate, you'll probably see a warning like the one in Figure 20.2. You can accept the certificate (some browsers give you several options for the conditions in which they'll accept this certificate in the future) to continue testing the Web site. WARNING
|