Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

sssl on apache

Posted on 2000-03-22
1
Medium Priority
?
315 Views
Last Modified: 2013-12-26
i have a unix server with apache
and id like to use ssl
how can i make my site secure?

thanks
0
Comment
Question by:boofulls
1 Comment
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 2644483
Is your Apache built with SSL support? You can easily tell by looking at it's config file. If there are no "<IfDefine SSL>"  or other mentions of SSL* directive in the file then it wasn't and you'll have to build one that is SSL enabled.

Below is a "recipe" that can be used to build an SSL enabled Apache on Linux or Solaris. It's somewhat generic and you might not need the PhP stuff and If you are not on sparc/ultra Solaris or Linix thing will need to be changed...

Standard server is built with SSL & Php/database/ldap/imap support.
Everything is built with gcc-2.95.2, earlier versions are suspect on
Solaris 7/8. The following describes the packages & dependencies
as of 8 Mar 00:

Apache 1.3.12             - http://www.apache.org/dist/
Mod SSL 2.6.2-1.3.12      - http://www.modssl.org/
  OpenSSL 0.9.5           - http://www.openssl.org/source/
  Mm 1.0.12               - http://www.engelschall.com/sw/mm/
Php 3.0.15                - http://www.php.net/
  Openldap-1.2.9          - http://www.openldap.org/
    db-2.7.7 (BerkeleyDB) - http://www.sleepycat.com/
  Imap (c-client)         - http://www.washington.edu/imap/
  Postgres 6.5.3          - http://www.postgresql.org
   --and/or--
  MySQL-3.22.32           - http://www.mysql.org

1. Configure, build & install openssl

   > cd openssl-0.9.5
   > ./Configure solaris-sparcv[8|9]-gcc \   # Solaris Sparc/Ultra
   > ./Configure linux-elf \                 # Linux i386
   > ./Configure linux-sparcv[8|9] \         # Linux Sparc/Ultra
   > --prefix=/opt/Openssl -DSSL_FORBID_ENUL
   > make
   > make test
   > make install

2. Configure & build Mm

   > cd mm-1.0.12
   > ./configure --disable-shared
   > make

4. Configure mod-ssl

   > cd ../mod_ssl-2.6.2-1.3.12/
   > ./configure --with-apache=../apache_1.3.12

5. Now configure, build, and install Apache

   > cd apache_1.3.12
   > SSL_BASE=../openssl-0.9.5 EAPI_MM=../mm-1.0.12 \
   > ./configure --prefix=/opt/Apache \
   > --enable-module=most --enable-shared=max \
   > --enable-module=ssl --enable-shared=ssl --enable-rule=SSL_SDBM
   > make
   > make install
   >
   
6. (optional) Configure and Build c-client IMAP libs

   > cd imap-4.7b
   > make gso       # Gcc Solaris - see Makefile
   > make lnp       # Linux w/PAM - see Makefile
   > cd c-client
   > mkdir include
   > cp *.h include
   > mkdir lib
   > cd lib
   > ln -s ../c-client.a libc-client.a

7. (optional) And the LDAP libs (we get everything, but only use the libs)
   and I assume that BerkeleyDB is installed.

   > cd openldap-1.2.9
   > CPPFLAGS=-I/usr/local/BerkeleyDB/include \ # Solaris
   > LDFLAGS=-L/usr/local/BerkeleyDB/lib \      # Solaris
   > LIBS="-lpthread -lposix4" \                # Solaris
   > ./configure --prefix=/opt/Ldap
   > make depend
   > make
   > make install

8. Now we can build Php. The assumption is that the database is already built
   and installed. I put 'em in /opt.

   > cd php-3.0.15
   > ./configure --with-apxs=/opt/Apache/bin/apxs --without-gd \
   > --with-mysql=/opt/Mysql \           # Optional MySQL
   > --with-pgsql=/opt/Postgres \        # Optional Postrgres
   > --with-ldap=/opt/Ldap \             # Optional LDAP
   > --with-imap=../imap-4.7b/c-client \ # Optional IMAP
   > --with-config-file-path=/opt/Apache/conf
   > make
   > make install
   > cp php3.ini-dist /opt/Apache/conf/php3.ini

   On Solaris watch out for the LDAP library search path (-L/opt/Ldap/lib)
   getting placed after the libraries (-lldap -llber), configure can
   botch it. Fix by re-arrainging in the top-level Makefile.

9. Check where the php modules are in the Apache conf file. They will wind
   up in an SSL conditional and should be at the global level.

10.Create a certificate. I use a temp dir in the Apache conf dir.
   After I create the certificate I move it to the ssl.* dirs
   using the real or virtual server name, e.g., chaos.domain.com=>chaos.*
   This is a locally signed certificate. For a real server you'll need
   to get a real certificate from a "Certificate Authority", like Verisign.

   > cd /opt/Apache/conf
   > mkdir ssl.tmp
   > cd ssl.tmp
   > /opt/Openssl/bin/openssl req -new >host.csr
   > /opt/Openssl/bin/openssl rsa -in privkey.pem -out host.key
   > /opt/Openssl/bin/openssl x509 -in host.csr -out host.cert -req \
   > -signkey host.key -days 365
   > mv host.cert ../ssl.crt/chaos.crt
   > mv host.csr ../ssl.csr/chaos.csr
   > mv host.key ../ssl.key/chaos.key
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here is how to use MFC's automatic Radio Button handling in your dialog boxes and forms.  Beginner programmers usually start with a OnClick handler for each radio button and that's just not the right way to go.  MFC has a very cool system for handli…
Introduction: Dialogs (2) modeless dialog and a worker thread.  Handling data shared between threads.  Recursive functions. Continuing from the tenth article about sudoku.   Last article we worked with a modal dialog to help maintain informat…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question