Linux Security
    Linux Security
    Linux Security

    Building a secure web server using Apache and OpenSSL

    Date
    24683
    Posted By
    Using apache and OpenSSL you can create your own secure web server to keep authentication and other information private from prying eyes. Having a secure web server is a vital necessity if you are doing on-line administration, banking and/or e-commerce. You may just have personal information you need to access over the web and wish to make secure. Using a secure web server is perfect for these implementations.

    Using Apache, mod-ssl and OpenSSL we can create a secure server quickly and easily. We also no longer have to worry in the U.S. about the RSA encryption. Prior to Sept. 6, 2000 the RSA algorithm was fully patended by RSA. The patent officially expires on September 20, 2000, but RSA lifted the patent a little earlier. Because of this we no longer need to use the RSAREF package, which is still under license from RSA.

    The first task in setting up our secure server will be to retreive the software required to do it. We will need three vital packages, Apache, OpenSSL and mod-ssl.

    You must have the following packages installed:

    RPMs and Debian packages most certainly also exist. See your favorite mirror site for pre-built packages. Instead of using mod-ssl you also have the option to use Apache-SSL. This document will instead focus on using mod-ssl instead. Mod_SSL was derived from Apache-SSL originally. The code has been completely rewritten since then. Mod_SSL has been known to run faster and be easier to configure than Apache-SSL.

    Compile and Install OpenSSL First

    Assuming you have perl and a working compiler installed, decompress the three packages. Compile OpenSSL first (this takes a while):
    $ ./config
    $ make
    $ make test
    $ make install
    
    
    Once this is all done compile mod-ssl:
    Note: 'ALL' means you MUST have the option and 'optional' is optional.
    $ cd
    mod_ssl-2.6.x-1.3.x                             ALL
    $ ./configure \                                 ALL
          --with-apache=../apache_1.3.x \           ALL
          --with-ssl=../openssl-0.9.x \             ALL
          --with-mm=../mm-1.1.x \                   OPTIONAL
          --with-crt=/path/to/your/server.crt \     OPTIONAL
          --with-key=/path/to/your/server.key \     OPTIONAL
          --prefix=/path/to/apache \                ALL
         [--enable-shared=ssl] \                    OPTIONAL
         [--disable-rule=SSL_COMPAT] \              OPTIONAL
         [--enable-rule=SSL_SDBM] \                 OPTIONAL
         [--enable-rule=SSL_EXPERIMENTAL] \         OPTIONAL
         [--enable-rule=SSL_VENDOR] \               OPTIONAL
         [...more APACHE options...]                OPTIONAL
    $ cd ../apache_1.3.x
    $ make
    $ make certificate                                           
    $ make install                                                    
    

    For more information on compiling mod-ssl directly into Apache read the mod-ssl INSTALL and README files included with the package. They will provide you with the steps necessary to do this.

    Configure httpd.conf for SSL Support

    After Apache mod-ssl is installed, you can configure your httpd.conf like you would for a normal site. You will, however, have to setup your SSL secure site through a VirtualHost. You will access with https://my.site.com instead of https://my.site.com.

    There are many configuration options and requirements for a VirtualHost in Apache. Since there is too much to talk about here I will only give you an example of a basic VirtualHost. A VirtualHost contains the server name, system administrators e-mail address, the path to the files and a path to the logs for the host. It turns out looking something like this:
    
    ServerAdmin This email address is being protected from spambots. You need JavaScript enabled to view it.
    DocumentRoot /home/httpd/mysite/
    ErrorLog /var/log/httpd/mysite-errors_log
    TransferLog /var/log/httpd/mysite-transfers_log
    
    
    To add SSL support to your VirtualHost you must enable it and tell it where you have your certificate and key to decrypt it with. Add these lines before the '' tag:
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    

    These are basic SSL options for VirtualHosts. There are many more than can be listed in this short document. When you install mod_SSL into Apache the new httpd.conf will have examples and descriptions of VirtualHosts and SSL options. You can also find numerous documents at www.apache.org and www.modssl.org.

    Once configured, you are all set to start up the server. Start Apache in SSL mode by typing the following:

    [[email protected] #] /usr/sbin/httpd -startssl
    read RSA key
    Enter PEM pass phrase:
    

    Notice it asks you for a password. It will require a password to decrypt your key for the SSL encryption. This could prevent apache from working on startup. Here is a way around it, but it can be a security hazard.

    Go to where your stored httpd.conf and in the ssl.key directory you should see server.key. This contains your encrypted key. What we are going to do here is decrypt the key permently. The upside is you won't have to enter a password anymore. The security risk is that if the key is compromissed someone can possibly decrypt the information you send across your once secure connection.

    Before you decrypt the key make a backup first:

    [[email protected] #] cp /path/to/apache-conf/ssl.key/server.key server.key.old
    

    Now, using OpenSSL, decrypt the key:

    [[email protected] #] /usr/sbin/openssl rsa -in server.key.old -out server.key
    read RSA key
    Enter PEM pass phrase:
    

    It will prompt you for your password and decrypt your key. server.key now contains an unencrypted key. You must still start apache with httpd --startssl or the start-up file included with your RPM or dpkg.

    Resources

    Advisories

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.