linux security with encryption

[sadique]

How we can enable apache with SSL support in the way we can host sites both with http and https prefix. Is it possible in the same ip in a name based virtual hosting.

[sadique]

How we can enable apache with SSL support in the way we can host sites both with http and https prefix. Is it possible in the same ip in a name based virtual hosting.

[LinuxFreak]

Dear sadique,
Salam,

Apache-SSL Guide

"Apache-SSL is a secure Webserver, based on Apache and SSLeay/ OpenSSL. It is licensed under a BSD-style licence, which means, in short, that you are free to use it for commercial or non-commercial purposes (although you are advised to read the SSLeay Is this legal? FAQ before deploying a server), so long as you retain the copyright notices. This is the same licence as used by Apache from version 0.8.15."

Apache-SSL has the same purpose of mod-ssl, however the configuration of apache-ssl tends to be alot harder. On the other hand an apache-ssl installation is more easily expandable than mod-ssl as for adding php,mysql, etc.

First grab the Apache 1.3.12 source from http://www.apache.org/dist/, then get the apache_1.3.12+ssl patch from here (get the latest) and finally you will need openssl-0.9.5a which can be found at http://www.openssl.org/source/.

Next you will need to move the apache and OpenSSL files into /usr/local and untar them by running the following commands:


tar -zxvf openssl-0.9.5a.tar.gz

tar -zxvf apache-1.3.12.tar.gz


Now, Untar the ApacheSSL patch in the Apache source directory that was created when you untar'ed the files. (/usr/local/apache_1.3.12)

Move into the the apache src directory (/usr/local/apache_1.3.12) and execute the apachessl patch script by running:


cd /usr/local/apache_1.3.12

./Fixpatch


Configure and compile apache as you normally would and make a test certificate.


./configure --prefix=/usr/local/apachessl --enable-shared-max

make

cd src

make certificate (follow prompts from here)

make install


Now you need to copy a few files:

Cd to /usr/local/apache_1.3.12 and copy the directory "src" to /usr/local/apachessl

Cd to /usr/local/apache_1.3.12/SSlconf/conf and copy "httpd.conf to /usr/local/apachessl/conf/httpsd.conf

Cd to /usr/local/apache_1.3.12/SSlconf/conf and copy "httpsd.pem" to /usr/local/apachessl/conf/httpsd.pem

Edit /usr/local/apachessl/conf/httpsd.conf (get conformable this is gonna take a while)

Change the following to match your box:

-User root to User nobody (it's bad for apache to run as root)
-Group root to Group nobody
-Uncomment the LoadModules and change there paths to match your box
-Ca list sending is uncommented for testing purposes only, comment once your server is a production box
-Comment SSLRandomFile /dev/urandom 1024

-Look for a batch of lines that read

Port 8888
Listen 8887
Listen 888*

Change this to:

Port 443
Listen 443
#Listen80 (use only if you want to run a ssl/non ssl server)

-DocumentRoot /usr/local/apachessl/htdocs
-SSLCacheServer path to match /usr/local/apachessl/src/modules/ssl/gcache
-SSLCACertificatePath to match the path to your certificates.
-SSLCertificateFile
Apache-ssl doesn't support Custom log, nor transfer log so you must disable them. If you want to log you must use "SSLLogFile /logfilepath"
-Comment out CustomLog (put a hashmark - # infront of the line)
-Comment out TransferLog

To start/stop apache-ssl run the following:

/usr/local/apachessl/bin/httpsdctl start

to stop it run:

/usr/local/apachessl/bin/httpsdctl stop

Notes:
Make certificate is just a test thing refer to the mod_ssl guide on how to make your certicates and keys.

When starting apache for the first time, you should tail /usr/local/apachessl/logs/error_log and httpsd_error_log to see if there are any errors.

Having trouble? Got questions? Require further assistance? If so please feel free to contact me !!

Best Regards.