Securing Apache2
From Unconscious
Contents |
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
-- ScottHerman - 15 Sep 2007
The above procedure generated a certificate that is good for about a month. Here's something a little better, from the ubuntu 7.04 release documentation...
HTTPS Configuration
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
The mod_ssl module is available in apache2-common package. If you have installed this package, you can run the following command from a terminal prompt to enable the mod_ssl module:
sudo a2enmod ssl
Certificates and Security
To set up your secure server, use public key cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company's identity, and payment to a Certificate Authority (CA). The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server. Types of Certificates
You need a key and a certificate to operate your secure server, which means that you can either generate a self-signed certificate or purchase a CA-signed certificate. A CA-signed certificate provides two important capabilities for your server:
- Browsers (usually) automatically recognize the certificate and allow a secure connection to be made without prompting the user.
- When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.
Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection.
You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognized by most Web browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
- Create a private and public encryption key pair.
- Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it.
- Send the certificate request, along with documents proving your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.
Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them. - When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate.
- Install this certificate on your secure server, and begin handling secure transactions.
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. Generating a Certificate Signing Request (CSR)
To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus .....................++++++ .................++++++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for server.key:
You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.
Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in server.key file.
Warning
You can also run your secure web server without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure web server. But it is highly insecure and a compromise of the key means a compromise of the server as well.
In any case, you can choose to run your secure web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:
openssl rsa -in server.key -out server.key.insecure
Once you run the above command, the insecure key will be stored in the server.key.insecure file. You can use this file to generate the CSR without passphrase.
To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR. Creating a Self-Signed Certificate
To create the self-signed certificate, run the following command at a terminal prompt:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.
Warning
If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.
Installing the Certificate
You can install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands at a terminal prompt:
sudo cp server.crt /etc/ssl/certs sudo cp server.key /etc/ssl/private
You should add the following four lines to the /etc/apache2/sites-available/default file or the configuration file for your secure virtual host. You should place them in the VirtualHost section. They should be placed under the DocumentRoot line:
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
I have my https configuration in /etc/apache2/sites-enabled/ssl. Here's what it looks like.
NameVirtualHost *:443
<VirtualHost *:443>
ServerName unconxio.us
ServerAdmin unconscious@unconxio.us
SSLEngine On
# SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
DocumentRoot /var/www/secured/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/secured/>
Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
AuthType Basic
AuthName "UnconsciousOnes"
AuthUserFile /var/local/HTSecurity/HTPassWd
Require valid-user
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/secured/
<Directory "/usr/lib/cgi-bin/secured/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
AuthType Basic
AuthName "UnconsciousOnes"
AuthUserFile /var/local/HTSecurity/HTPassWd
Require valid-user
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
SSLPassPhraseDialog exec:/some/private/executable/passphrase/script
-- ScottHerman - 21 Dec 2007
Pass Phrase Dialogue
When I first set this up and got it all working, it would run fine for a while. However, when apache2 went down and the init daemon would attempt to restart it, it would fail because it was waiting with an interactive prompt, on the console, for the pass phrase. Since it did not happen often, I though it anomalous and did not try to address it. After it happened a few times, however, I decided that enough was enough.
I did some investigation, and discovered the SSLPassPhraseDialog directive. This directive specifies an executable script which writes the pass phrase to stdout. The directive may not be specified within the <nop>VirtualHost section of the configuration. An example dialog file is given below. In the actual file "the correct passphrase" is replaced by the actual passphrase.
#!/bin/sh echo "the correct passphrase"
-- ScottHerman - 09 Jan 2008
