Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Configuring Apache 2 Server with SSL Support


{LANG_NAVORIGIN} Encryption SSL
Emre Celebi 06/08/2005



Introduction



This HOWTO is a step-by-step guide for configuring Apache web server with SSL support. It will cover installing, configuring and troubleshooting Apache 2.0 web server with SSL support. It will also explain how to create a local Certification Authority (CA) and to create a SSL certificate with open-source OpenSSL library to use with the web server.

Apache is a free robust web server (http://httpd.apache.org/) with open-source licensed. Since it has support for many different operating systems (including Linux, Solaris, HPUX, FreeBSD, IRIX, AIX, Windows) and since it is considered more secure and reliable then other available commercial web servers, it has been now used by millions of Web sites around the world.

SSL stands for Secure Sockets Layer and it is a protocol developed by Netscape (www.netscape.com). It is the most widely known and used protocol that’s used for privacy and good reliability for client-server communication. It simply uses cryptographic algorithms to create encrypted tunnels for other protocols like HTTP, IMAP, NNTP and etc. In this mini HOW-TO we will not cover the details of how SSL provides confidentiality, integrity and authentication using cryptographic algorithms but rather cover how to benefit from it and you are highly encouraged to visit official SSL homepage www.ssl.org for more information about SSL protocol.

Apache server by default doesn’t have SSL support and it should explicitly need to be configured and compiled to have SSL support. In the following section we will cover the technical details on how to install and configure Apache with SSL support.


Before You Start



Since we will install and configure Apache server with SSL support from scratch, we will need to obtain the latest version of Apache 2.0 server from http://httpd.apache.org/ before going further. Also for this HOW-TO we have chosen the Apache 2.0 server version, however most of the configuration and examples should also work for Apache 1.3.x versions.

For the installation platform we will use the Fedora Core 3 Linux operating system to install and configure Apache 2 server. Instructions should also be valid for any Linux-like operating system. However the Gnu C Compiler- GCC (www.gcc.gnu.org) and OpenSSL (www.openssl.org) packages should be installed on the chosen operating system.

This HOW-TO will cover the following topics:
this HOW-TO will NOT cover the following topics: For the example installation and configuration we will use the www.learnsecurityonline.com domain name with the 128.20.8.144 IP addresses, you need to change this addresses according to your network configuration.


Configuring and Installing Apache 2 Server



After downloading the latest source code from Apache home page, the first thing is to unzip/untaring these codes on the server as shown Figure 1.

figure 1 Unzip/Untaring the server source codes


When you extract the source codes with tar command, a new directory will be created on the server with the httpd-X.Y.Z name. The X.Y.Z convention in this naming will be the version number of Apache that you have downloaded. For example, in the above example after untaring the source there will be a directory named as httpd-2.0.53.

After extracting the source code, you will need to enter the newly created directory and run the following command shown in Figure 2 to configure the Apache source codes with SSL support.

figure 2 Configuring Apache source codes with SSL support


Note, we have chosen the /var/apache directory as the main installation directory within the above command with –prefix parameter. You can change this installation directory whichever you want on your server, however in this case don’t forget to change the directory names according to your main installation directory.

When the configure script finishes its execution, the source codes are available for compilation and you can run the make and make install commands to compile and install the Apache web server on your system.

If compilation succeeds then server will be installed on your system and we can start the web server to test whether it is installed correctly or not. In order to perform this testing:

figure 3 Starting Apache server


Since we didn’t state the server’s full FQDN name (such as www.learnsecurityonline.com) within the main Apache configuration file, the warring shown just after the execution of apachectl command is normal and you can safely ignore it for the moment.

After starting the web server you can now try to connect it via any web browsers on a client which you know has the network access to our newly installed web server. For this purpose you need to supply the IP address of your server within the URL as shown below. If the URL returns and connection is successful then you should see the following web page within your browser.

figure 4 Apache Installation Test Page


The web content shown in Figure 4 is the test page for Apache installation and if you can see this test page after you install Apache web server then this means the installation operation was successful on the server.

At this point our web server installation is completed and we can move to the SSL certificate part. However if you encounter any problems with either the compilation or with the testing phase, then you should follow the error messages to correct them. You can read the detailed manuals in www.apache.org web page to obtain more information about troubleshooting.


Creating Self-Signed SSL Certificates



In order to enable SSL support for our web server, we need to create private key and certificate files for it. Normally, a production web server certificate needs to be signed by some well-known Certificate Authorities (CA) such as VeriSign (www.verisign.com). If a CA has signed a certificate, that entity will vouch for the certificate's authenticity (i.e. the CA has proven to its own satisfaction that the site holding the certificate really is what it claims to be). However you can also create self-signed certificates for testing and intranet usage. Self-signed certificates are generated without any outside authority to verify that the server presenting the certificate is what it claims to be. We will create self-signed certificates for our SSL configuration since its faster and cheaper (actually costs nothing) then the official certificate issue methods.

Before creating the public key and certificate files for our web server, we need to create some directories to hold these files. Use the commands shown in Figure 5 to create these directories.

figure 5 Creating directories for keys and certificates


After then you can use the openssl command on your web server to create a self-signed certificate. Issue the command shown below to create site certificate.

figure 6 Creating self-signed site certificate


Note, with the above command we have chosen some predefined values for our certificate such as 90 day expiration date. You are highly encouraged to obtain more information about openssl command and its usage.

When you execute the above command, openssl command will ask you a PEM pass phrase password. This password will be used to access to your keys and you are advised to chose a strong password for it.

After successful execution the above command will create the necessary key and certificate files under the specified directories.


Configuring Apache 2 with SSL Support



After generating our server key and certificate files, we need to configure our web server to use these files. For this purpose we will modify the ssl.conf file that normally resides under the conf directory of main apache installation directory (for our installation its /var/apache/conf).

You can edit ssl.conf file with any text editor. After editing you need to locate the parameters shown in Table 1 and adjust them according to values shown in the same table.

Parameter Value
Listen 443
SSLEngine On
SSLPassPhraseDialog Builtin
SSLCertificateFile /var/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /var/apache/conf/ssl.key/server.key
SSLVerifyClient none
SSLProxyEngine off
Servername www.learnsecurityonline.com:443


You can leave the other parameters with their default value. You should not change any parameter-value combination unless you know what they mean.

When you adjust the ssl.conf file as shown above then we are ready to test our SSL enabled Apache web server. In the following section we will test the configuration.


Testing the Configuration



In order to perform configuration test, we first need to start Apache server with SSL support. You can run the following command within your main Apache installation directory to start the Apache server with SSL enabled.

figure 7 Starting Apache Server with SSL enabled


During this command execution, you will need to supply your pass phrase value that you stated during the key creation process before. After supplying the pass phrase, normally Apache server should start with SSL enabled.

To test whether your SSL enabled web server started correctly or not, you can try to connect to the server over SSL. To do this just type the https://server_ip_address URL within your client’s web browser. Note that you should use your own web server IP addresses within the specified URL. For example in our case we can test the server with https://128.20.68.144 URL. When you try to reach this URL, a web page similar to Figure 8 should pop-up. This is a normal warning message from our web browser program since our server certificate is not signed with a well-known CA.

figure 8 Warning message from web browser for Unknown CA


You can ignore this warning message and accept the server certificate. When you do so a new page with detailed certificate information comes. In this page you can view the details of the server certificate in order to be sure about the certificate details. When you choose “Examine certificate” option you will see information about the server certificate as shown in Figure 9.

figure 9 Server certificate details


In this “Certificate Viewer” window, you can see that the details of this certificate exactly matches the one we have created such as with 90 days duration time and etc.

When you choose “accept this certificate” option, the actual web page is loaded as shown in Figure 10. The yellow sing on the right bottom of your web browser program means that this page is SSL enabled.

figure 10 SSL protected web page


If you could see this yellow sign on the right bottom of your web browser and can reach your server with an URL that starts with https then your SSL-enabled Apache server is working correctly!


Further Notes and Reading

Learn Security Online (LSO) would be delighted for you to send any corrections or comments you may have to emre AT learnsecurityonline DOT com . If you also really need help with the configuration mentioned in this document, LSO technicians would be delighted to help you.













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
16510 Views
4.3/5 Rating
10 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact