Apache HTTP Secure Server Configuration

This section provides basic information on the Apache HTTP server with the mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components, provided with Red Hat Linux, will be referred to in this chapter as the secure Web server or just the secure server.

The mod_ssl module is a security module for the Apache HTTP server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP server — the ability to encrypt communications. In contrast, using regular HTTP, communications between a browser and a Web server are sent in plaintext, which could be intercepted and read by someone along the route between the browser and the server.

This section is not meant to be complete and exclusive documentation for any of these programs. When possible, we’ll point you to appropriate places where you can find more in-depth documentation on particular subjects. This section will show you how to install these programs. You will also learn the steps necessary to generate a private key and a certificate request, how to generate your own self-signed certificate, and how to install a certificate to use with your secure Web server.

The configuration for mod_ssl has moved from /etc/httpd/conf/httpd.conf to /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in /etc/httpd/conf/httpd.conf.

An Overview of Security-Related Packages

To enable the secure server, you need to have the following packages installed at a minimum.

httpd

The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP server modules, man pages, and other files used by the Apache HTTP server.

mod_ssl

The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

openssl

The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols and also includes a general-purpose cryptography library.

Additionally, the following software packages included with Red Hat Linux can provide certain security functionalities (but are not required by the secure server to function).

httpd-devel

The httpd-devel package contains the Apache HTTP server include files, header files, and the APXS utility. You will need all of these if you intend to load any extra modules, other than the modules provided with this product. If you do not intend to load other modules onto your Apache server, you do not need to install this package.

httpd-manual

The httpd-manual package contains the Apache Project’s Apache User’s Guide in HTML format. This manual is also available on the Web at http://httpd.apache.org/docs-2.0/.

OpenSSH packages

The OpenSSH packages provide the OpenSSH set of network connectivity tools for logging in to and executing commands on a remote machine. OpenSSH tools encrypt all traffic (including passwords), so you can avoid eavesdropping, connection hijacking, and other attacks on communications between your machine and the remote machine.

• The openssh package includes core files needed by both the OpenSSH client programs and the OpenSSH server. The openssh package also contains scp, a secure replacement for rcp (for copying files between machines), and ftp (for transferring files between machines).

• The openssh-askpass package supports the display of a dialog box that prompts for a password during use of the OpenSSH agent with RSA authentication.

• The openssh-askpass-gnome package contains a GNOME GUI desktop environment dialog box that is displayed when OpenSSH programs prompt for a password. If you are running GNOME and using OpenSSH utilities, you should install this package.

• The openssh-server package contains the sshd secure shell daemon and related files. The secure shell daemon is the server side of the OpenSSH suite and must be installed on your host if you want to allow SSH clients to connect to your host.

• The openssh-clients package contains the client programs needed to make encrypted connections to SSH servers, including the following: ssh, a secure replacement for rsh; and slogin, a secure replacement for rlogin (for remote login) and telnet (for communicating with another host via the Telnet protocol).

  Tip

  For more information about OpenSSH, see the OpenSSH website, http://www.openssh.com.

openssl-devel

The openssl-devel package contains the static libraries and the include file needed to compile applications with support for various cryptographic algorithms and protocols. You need to install this package only if you are developing applications that include SSL support — you do not need this package to use SSL.

stunnel

The stunnel package provides the Stunnel SSL wrapper. Stunnel supports the SSL encryption of TCP connections, so it can provide encryption for non–SSL aware daemons and protocols (such as POP, IMAP, and LDAP) without requiring any changes to the daemon’s code.

Table 19-1 displays the location of the secure server packages and additional security-related packages within the package groups provided by Red Hat Linux. This table also tells you whether each package is optional or not for the installation of a secure Web server.

An Overview of Certificates and Security

Your secure Web server provides security using a combination of the Secure Sockets Layer (SSL) protocol and (in most cases) a digital certificate from a Certificate Authority (CA). SSL handles the encrypted communications and the mutual authentication between browsers and your secure Web server. The CA-approved digital certificate provides authentication for your secure Web server (the CA puts its reputation behind its certification of your organization’s identity). When your browser is communicating using SSL encryption, you will see the https:// prefix at the beginning of the Uniform Resource Locator (URL) in the navigation bar.

Encryption depends upon the use of keys (think of them as secret encoder/decoder rings in data format). In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other’s transmissions. In public or asymmetric cryptography, two keys coexist: a public key and a private key. A person or an organization keeps their private key a secret, and publishes their public key. Data encoded with the public key can be decoded only with the private key; data encoded with the private key can be decoded only with the public key.

To set up your secure server, you will use public cryptography to create a public and private key pair. In most cases, you will send your certificate request (including your public key), proof of your company’s identity, and payment to the CA. The CA will verify the certificate request and your identity and then send back a certificate for your secure Web server.

A secure server uses a certificate to identify itself to Web browsers. You can generate your own certificate (called a “self-signed” certificate) or you can get a certificate from a Certificate Authority or CA. A certificate from a reputable CA guarantees that a website is associated with a particular company or organization. Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates will not be automatically accepted by a user’s browser — the user will be asked by the browser if he or she wants to accept the certificate and create the secure connection. See the “Types of Certificates” section of this chapter for more information on the differences between self-signed and CA-signed certificates. Once you have a self-signed certificate or a signed certificate from the CA of your choice, you will need to install it on your secure Web server.