Solved

sssl on apache

Posted on 2000-03-22
1
293 Views
Last Modified: 2013-12-26
i have a unix server with apache
and id like to use ssl
how can i make my site secure?

thanks
0
Comment
Question by:boofulls
1 Comment
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 2644483
Is your Apache built with SSL support? You can easily tell by looking at it's config file. If there are no "<IfDefine SSL>"  or other mentions of SSL* directive in the file then it wasn't and you'll have to build one that is SSL enabled.

Below is a "recipe" that can be used to build an SSL enabled Apache on Linux or Solaris. It's somewhat generic and you might not need the PhP stuff and If you are not on sparc/ultra Solaris or Linix thing will need to be changed...

Standard server is built with SSL & Php/database/ldap/imap support.
Everything is built with gcc-2.95.2, earlier versions are suspect on
Solaris 7/8. The following describes the packages & dependencies
as of 8 Mar 00:

Apache 1.3.12             - http://www.apache.org/dist/
Mod SSL 2.6.2-1.3.12      - http://www.modssl.org/
  OpenSSL 0.9.5           - http://www.openssl.org/source/
  Mm 1.0.12               - http://www.engelschall.com/sw/mm/
Php 3.0.15                - http://www.php.net/
  Openldap-1.2.9          - http://www.openldap.org/
    db-2.7.7 (BerkeleyDB) - http://www.sleepycat.com/
  Imap (c-client)         - http://www.washington.edu/imap/
  Postgres 6.5.3          - http://www.postgresql.org
   --and/or--
  MySQL-3.22.32           - http://www.mysql.org

1. Configure, build & install openssl

   > cd openssl-0.9.5
   > ./Configure solaris-sparcv[8|9]-gcc \   # Solaris Sparc/Ultra
   > ./Configure linux-elf \                 # Linux i386
   > ./Configure linux-sparcv[8|9] \         # Linux Sparc/Ultra
   > --prefix=/opt/Openssl -DSSL_FORBID_ENUL
   > make
   > make test
   > make install

2. Configure & build Mm

   > cd mm-1.0.12
   > ./configure --disable-shared
   > make

4. Configure mod-ssl

   > cd ../mod_ssl-2.6.2-1.3.12/
   > ./configure --with-apache=../apache_1.3.12

5. Now configure, build, and install Apache

   > cd apache_1.3.12
   > SSL_BASE=../openssl-0.9.5 EAPI_MM=../mm-1.0.12 \
   > ./configure --prefix=/opt/Apache \
   > --enable-module=most --enable-shared=max \
   > --enable-module=ssl --enable-shared=ssl --enable-rule=SSL_SDBM
   > make
   > make install
   >
   
6. (optional) Configure and Build c-client IMAP libs

   > cd imap-4.7b
   > make gso       # Gcc Solaris - see Makefile
   > make lnp       # Linux w/PAM - see Makefile
   > cd c-client
   > mkdir include
   > cp *.h include
   > mkdir lib
   > cd lib
   > ln -s ../c-client.a libc-client.a

7. (optional) And the LDAP libs (we get everything, but only use the libs)
   and I assume that BerkeleyDB is installed.

   > cd openldap-1.2.9
   > CPPFLAGS=-I/usr/local/BerkeleyDB/include \ # Solaris
   > LDFLAGS=-L/usr/local/BerkeleyDB/lib \      # Solaris
   > LIBS="-lpthread -lposix4" \                # Solaris
   > ./configure --prefix=/opt/Ldap
   > make depend
   > make
   > make install

8. Now we can build Php. The assumption is that the database is already built
   and installed. I put 'em in /opt.

   > cd php-3.0.15
   > ./configure --with-apxs=/opt/Apache/bin/apxs --without-gd \
   > --with-mysql=/opt/Mysql \           # Optional MySQL
   > --with-pgsql=/opt/Postgres \        # Optional Postrgres
   > --with-ldap=/opt/Ldap \             # Optional LDAP
   > --with-imap=../imap-4.7b/c-client \ # Optional IMAP
   > --with-config-file-path=/opt/Apache/conf
   > make
   > make install
   > cp php3.ini-dist /opt/Apache/conf/php3.ini

   On Solaris watch out for the LDAP library search path (-L/opt/Ldap/lib)
   getting placed after the libraries (-lldap -llber), configure can
   botch it. Fix by re-arrainging in the top-level Makefile.

9. Check where the php modules are in the Apache conf file. They will wind
   up in an SSL conditional and should be at the global level.

10.Create a certificate. I use a temp dir in the Apache conf dir.
   After I create the certificate I move it to the ssl.* dirs
   using the real or virtual server name, e.g., chaos.domain.com=>chaos.*
   This is a locally signed certificate. For a real server you'll need
   to get a real certificate from a "Certificate Authority", like Verisign.

   > cd /opt/Apache/conf
   > mkdir ssl.tmp
   > cd ssl.tmp
   > /opt/Openssl/bin/openssl req -new >host.csr
   > /opt/Openssl/bin/openssl rsa -in privkey.pem -out host.key
   > /opt/Openssl/bin/openssl x509 -in host.csr -out host.cert -req \
   > -signkey host.key -days 365
   > mv host.cert ../ssl.crt/chaos.crt
   > mv host.csr ../ssl.csr/chaos.csr
   > mv host.key ../ssl.key/chaos.key
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction: Dialogs (1) modal - maintaining the database. Continuing from the ninth article about sudoku.   You might have heard of modal and modeless dialogs.  Here with this Sudoku application will we use one of each type: a modal dialog …
If you use Adobe Reader X it is possible you can't open OLE PDF documents in the standard. The reason is the 'save box mode' in adobe reader X. Many people think the protected Mode of adobe reader x is only to stop the write access. But this fe…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now