Solved

sssl on apache

Posted on 2000-03-22
1
294 Views
Last Modified: 2013-12-26
i have a unix server with apache
and id like to use ssl
how can i make my site secure?

thanks
0
Comment
Question by:boofulls
1 Comment
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 2644483
Is your Apache built with SSL support? You can easily tell by looking at it's config file. If there are no "<IfDefine SSL>"  or other mentions of SSL* directive in the file then it wasn't and you'll have to build one that is SSL enabled.

Below is a "recipe" that can be used to build an SSL enabled Apache on Linux or Solaris. It's somewhat generic and you might not need the PhP stuff and If you are not on sparc/ultra Solaris or Linix thing will need to be changed...

Standard server is built with SSL & Php/database/ldap/imap support.
Everything is built with gcc-2.95.2, earlier versions are suspect on
Solaris 7/8. The following describes the packages & dependencies
as of 8 Mar 00:

Apache 1.3.12             - http://www.apache.org/dist/
Mod SSL 2.6.2-1.3.12      - http://www.modssl.org/
  OpenSSL 0.9.5           - http://www.openssl.org/source/
  Mm 1.0.12               - http://www.engelschall.com/sw/mm/
Php 3.0.15                - http://www.php.net/
  Openldap-1.2.9          - http://www.openldap.org/
    db-2.7.7 (BerkeleyDB) - http://www.sleepycat.com/
  Imap (c-client)         - http://www.washington.edu/imap/
  Postgres 6.5.3          - http://www.postgresql.org
   --and/or--
  MySQL-3.22.32           - http://www.mysql.org

1. Configure, build & install openssl

   > cd openssl-0.9.5
   > ./Configure solaris-sparcv[8|9]-gcc \   # Solaris Sparc/Ultra
   > ./Configure linux-elf \                 # Linux i386
   > ./Configure linux-sparcv[8|9] \         # Linux Sparc/Ultra
   > --prefix=/opt/Openssl -DSSL_FORBID_ENUL
   > make
   > make test
   > make install

2. Configure & build Mm

   > cd mm-1.0.12
   > ./configure --disable-shared
   > make

4. Configure mod-ssl

   > cd ../mod_ssl-2.6.2-1.3.12/
   > ./configure --with-apache=../apache_1.3.12

5. Now configure, build, and install Apache

   > cd apache_1.3.12
   > SSL_BASE=../openssl-0.9.5 EAPI_MM=../mm-1.0.12 \
   > ./configure --prefix=/opt/Apache \
   > --enable-module=most --enable-shared=max \
   > --enable-module=ssl --enable-shared=ssl --enable-rule=SSL_SDBM
   > make
   > make install
   >
   
6. (optional) Configure and Build c-client IMAP libs

   > cd imap-4.7b
   > make gso       # Gcc Solaris - see Makefile
   > make lnp       # Linux w/PAM - see Makefile
   > cd c-client
   > mkdir include
   > cp *.h include
   > mkdir lib
   > cd lib
   > ln -s ../c-client.a libc-client.a

7. (optional) And the LDAP libs (we get everything, but only use the libs)
   and I assume that BerkeleyDB is installed.

   > cd openldap-1.2.9
   > CPPFLAGS=-I/usr/local/BerkeleyDB/include \ # Solaris
   > LDFLAGS=-L/usr/local/BerkeleyDB/lib \      # Solaris
   > LIBS="-lpthread -lposix4" \                # Solaris
   > ./configure --prefix=/opt/Ldap
   > make depend
   > make
   > make install

8. Now we can build Php. The assumption is that the database is already built
   and installed. I put 'em in /opt.

   > cd php-3.0.15
   > ./configure --with-apxs=/opt/Apache/bin/apxs --without-gd \
   > --with-mysql=/opt/Mysql \           # Optional MySQL
   > --with-pgsql=/opt/Postgres \        # Optional Postrgres
   > --with-ldap=/opt/Ldap \             # Optional LDAP
   > --with-imap=../imap-4.7b/c-client \ # Optional IMAP
   > --with-config-file-path=/opt/Apache/conf
   > make
   > make install
   > cp php3.ini-dist /opt/Apache/conf/php3.ini

   On Solaris watch out for the LDAP library search path (-L/opt/Ldap/lib)
   getting placed after the libraries (-lldap -llber), configure can
   botch it. Fix by re-arrainging in the top-level Makefile.

9. Check where the php modules are in the Apache conf file. They will wind
   up in an SSL conditional and should be at the global level.

10.Create a certificate. I use a temp dir in the Apache conf dir.
   After I create the certificate I move it to the ssl.* dirs
   using the real or virtual server name, e.g., chaos.domain.com=>chaos.*
   This is a locally signed certificate. For a real server you'll need
   to get a real certificate from a "Certificate Authority", like Verisign.

   > cd /opt/Apache/conf
   > mkdir ssl.tmp
   > cd ssl.tmp
   > /opt/Openssl/bin/openssl req -new >host.csr
   > /opt/Openssl/bin/openssl rsa -in privkey.pem -out host.key
   > /opt/Openssl/bin/openssl x509 -in host.csr -out host.cert -req \
   > -signkey host.key -days 365
   > mv host.cert ../ssl.crt/chaos.crt
   > mv host.csr ../ssl.csr/chaos.csr
   > mv host.key ../ssl.key/chaos.key
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
unable to delete all specified values regedit 38 285
CRON statement to run every 3 minutes except on Monday morning 12am to 2am 7 89
WinWaitActive parameters 12 31
sum28 challenge 31 107
Introduction: Hints for the grid button.  Nested classes, templated collections.  Squash that darned bug! Continuing from the sixth article about sudoku.   Open the project in visual studio. First we will finish with the SUD_SETVALUE messa…
Introduction: Dialogs (2) modeless dialog and a worker thread.  Handling data shared between threads.  Recursive functions. Continuing from the tenth article about sudoku.   Last article we worked with a modal dialog to help maintain informat…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now