Solved

sssl on apache

Posted on 2000-03-22
1
297 Views
Last Modified: 2013-12-26
i have a unix server with apache
and id like to use ssl
how can i make my site secure?

thanks
0
Comment
Question by:boofulls
1 Comment
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 2644483
Is your Apache built with SSL support? You can easily tell by looking at it's config file. If there are no "<IfDefine SSL>"  or other mentions of SSL* directive in the file then it wasn't and you'll have to build one that is SSL enabled.

Below is a "recipe" that can be used to build an SSL enabled Apache on Linux or Solaris. It's somewhat generic and you might not need the PhP stuff and If you are not on sparc/ultra Solaris or Linix thing will need to be changed...

Standard server is built with SSL & Php/database/ldap/imap support.
Everything is built with gcc-2.95.2, earlier versions are suspect on
Solaris 7/8. The following describes the packages & dependencies
as of 8 Mar 00:

Apache 1.3.12             - http://www.apache.org/dist/
Mod SSL 2.6.2-1.3.12      - http://www.modssl.org/
  OpenSSL 0.9.5           - http://www.openssl.org/source/
  Mm 1.0.12               - http://www.engelschall.com/sw/mm/
Php 3.0.15                - http://www.php.net/
  Openldap-1.2.9          - http://www.openldap.org/
    db-2.7.7 (BerkeleyDB) - http://www.sleepycat.com/
  Imap (c-client)         - http://www.washington.edu/imap/
  Postgres 6.5.3          - http://www.postgresql.org
   --and/or--
  MySQL-3.22.32           - http://www.mysql.org

1. Configure, build & install openssl

   > cd openssl-0.9.5
   > ./Configure solaris-sparcv[8|9]-gcc \   # Solaris Sparc/Ultra
   > ./Configure linux-elf \                 # Linux i386
   > ./Configure linux-sparcv[8|9] \         # Linux Sparc/Ultra
   > --prefix=/opt/Openssl -DSSL_FORBID_ENUL
   > make
   > make test
   > make install

2. Configure & build Mm

   > cd mm-1.0.12
   > ./configure --disable-shared
   > make

4. Configure mod-ssl

   > cd ../mod_ssl-2.6.2-1.3.12/
   > ./configure --with-apache=../apache_1.3.12

5. Now configure, build, and install Apache

   > cd apache_1.3.12
   > SSL_BASE=../openssl-0.9.5 EAPI_MM=../mm-1.0.12 \
   > ./configure --prefix=/opt/Apache \
   > --enable-module=most --enable-shared=max \
   > --enable-module=ssl --enable-shared=ssl --enable-rule=SSL_SDBM
   > make
   > make install
   >
   
6. (optional) Configure and Build c-client IMAP libs

   > cd imap-4.7b
   > make gso       # Gcc Solaris - see Makefile
   > make lnp       # Linux w/PAM - see Makefile
   > cd c-client
   > mkdir include
   > cp *.h include
   > mkdir lib
   > cd lib
   > ln -s ../c-client.a libc-client.a

7. (optional) And the LDAP libs (we get everything, but only use the libs)
   and I assume that BerkeleyDB is installed.

   > cd openldap-1.2.9
   > CPPFLAGS=-I/usr/local/BerkeleyDB/include \ # Solaris
   > LDFLAGS=-L/usr/local/BerkeleyDB/lib \      # Solaris
   > LIBS="-lpthread -lposix4" \                # Solaris
   > ./configure --prefix=/opt/Ldap
   > make depend
   > make
   > make install

8. Now we can build Php. The assumption is that the database is already built
   and installed. I put 'em in /opt.

   > cd php-3.0.15
   > ./configure --with-apxs=/opt/Apache/bin/apxs --without-gd \
   > --with-mysql=/opt/Mysql \           # Optional MySQL
   > --with-pgsql=/opt/Postgres \        # Optional Postrgres
   > --with-ldap=/opt/Ldap \             # Optional LDAP
   > --with-imap=../imap-4.7b/c-client \ # Optional IMAP
   > --with-config-file-path=/opt/Apache/conf
   > make
   > make install
   > cp php3.ini-dist /opt/Apache/conf/php3.ini

   On Solaris watch out for the LDAP library search path (-L/opt/Ldap/lib)
   getting placed after the libraries (-lldap -llber), configure can
   botch it. Fix by re-arrainging in the top-level Makefile.

9. Check where the php modules are in the Apache conf file. They will wind
   up in an SSL conditional and should be at the global level.

10.Create a certificate. I use a temp dir in the Apache conf dir.
   After I create the certificate I move it to the ssl.* dirs
   using the real or virtual server name, e.g., chaos.domain.com=>chaos.*
   This is a locally signed certificate. For a real server you'll need
   to get a real certificate from a "Certificate Authority", like Verisign.

   > cd /opt/Apache/conf
   > mkdir ssl.tmp
   > cd ssl.tmp
   > /opt/Openssl/bin/openssl req -new >host.csr
   > /opt/Openssl/bin/openssl rsa -in privkey.pem -out host.key
   > /opt/Openssl/bin/openssl x509 -in host.csr -out host.cert -req \
   > -signkey host.key -days 365
   > mv host.cert ../ssl.crt/chaos.crt
   > mv host.csr ../ssl.csr/chaos.csr
   > mv host.key ../ssl.key/chaos.key
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Dialogs (1) modal - maintaining the database. Continuing from the ninth article about sudoku.   You might have heard of modal and modeless dialogs.  Here with this Sudoku application will we use one of each type: a modal dialog …
Introduction: Dialogs (2) modeless dialog and a worker thread.  Handling data shared between threads.  Recursive functions. Continuing from the tenth article about sudoku.   Last article we worked with a modal dialog to help maintain informat…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now