Solved

configuring Apache to use ssl

Posted on 2006-07-10
9
555 Views
Last Modified: 2008-02-01
Configuration:
OS: Windows Server 2003
Web Server: Apache 2.0.58
Listens to Port 8078. Ports 80, 8080, and 8079 are used by IIS.

tell me, from scratch, how to configure the server to use SSL.

what directives i need to add to httpd.conf?
where should i put certain files that i may need to download?
how to test it?
and I need to use a port other than 443.

thanks
0
Comment
Question by:jhshukla
  • 6
9 Comments
 
LVL 9

Author Comment

by:jhshukla
ID: 17076103
I tried following instructions on http://www.apache-ssl.org/#FAQ and http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL but to no avail. I get:

D:\Program Files\GnuWin32\bin>openssl req -new > new.cert.csr
Unable to load config info
Loading 'screen' into random state - done
Generating a 512 bit RSA private key
.......++++++++++++
...++++++++++++
writing new private key to stdout
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
10992:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:325:
0
 
LVL 9

Author Comment

by:jhshukla
ID: 17076607
update: I followed instructions on http://www.devx.com/opensource/Article/20085/1763/page/2
now it is taking forever to serve the request.
0
 
LVL 23

Assisted Solution

by:rama_krishna580
rama_krishna580 earned 62 total points
ID: 17081978
Hi,

Setting up SSL Certificates on Apache
http://www.flatmtn.com/computer/Linux-SSLCertificatesApache.html

R.K
0
 
LVL 9

Author Comment

by:jhshukla
ID: 17094927
flush previous discussions out of your mind.

<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  exec:spit_passwd.bat
SSLSessionCache        none
SSLMutex  default
#SSLEngine on ######################################

<VirtualHost 00.000.00.0:111>
#        ServerName 00.000.00.0
        DocumentRoot C:/WEB_ROOT
        ErrorLog C:/WEB_ROOT/logs/error.log
        CustomLog C:/WEB_ROOT/logs/access.log common
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile C:/WEB_ROOT/certs/server.crt
SSLCertificateKeyFile C:/WEB_ROOT/certs/server.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/WEB_ROOT">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog C:/WEB_ROOT/logs/ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfModule>

The moment I uncomment the SSLEngine On directive & try to restart, it craps out on me. with the line commented out, it could be (possibly) the happiest server on earth.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Author Comment

by:jhshukla
ID: 17095082
do you wan't me to post all relevant parts of *.conf?
0
 
LVL 9

Author Comment

by:jhshukla
ID: 17095189
here it is:
ServerRoot "C:/Program Files/Apache Group/Apache2"
PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild  0
</IfModule>
Listen 80
Listen 8080
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule php5_module c:/php/php5apache2.dll
PHPIniDir "C:/php"
ServerAdmin dumbledore@hogwarts.edu
ServerName NearlyNamelessServer:80
UseCanonicalName Off
DocumentRoot "C:/WEB_ROOT"
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "C:/WEB_ROOT">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    RewriteEngine On
    RewriteRule ^([^/]+)\.html?(.*)$ index.php?_html_url=$1$2 [L,QSA]
    RewriteRule .+\.pdf(.*)$ index.php?page=convert_to_pdf&cmd=download$1 [L,QSA]
</Directory>
DirectoryIndex index.php index.html index.html.var
AccessFileName .htaccess
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
</FilesMatch>
TypesConfig conf/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/error.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access.log common
ServerTokens Full
ServerSignature On
Alias /icons/ "C:/Program Files/Apache Group/Apache2/icons/"
<Directory "C:/Program Files/Apache Group/Apache2/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
    <Files *.html>
        SetHandler type-map
    </Files>
</Directory>
ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache2/cgi-bin/"
<Directory "C:/Program Files/Apache Group/Apache2/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort
ReadmeName README.html
HeaderName HEADER.html
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php
AddType application/x-httpd-php .phtml
AddType application/x-httpd-php-source .phps
AddHandler type-map var
<IfModule mod_ssl.c>
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
      Listen 443
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl    .crl
      SSLPassPhraseDialog  exec:spit_passwd.bat
      SSLSessionCache        none
      SSLMutex  default
      <VirtualHost ip.ad.re.ss:443>
              ServerName ip.ad.re.ss
              DocumentRoot C:/WEB_ROOT
              ErrorLog C:/WEB_ROOT/logs/error.log
              CustomLog C:/WEB_ROOT/logs/access.log common
            SSLEngine on
            SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
            SSLCertificateFile C:/WEB_ROOT/certs/server.crt
            SSLCertificateKeyFile C:/WEB_ROOT/certs/server.key
            <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
                  SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory "C:/WEB_ROOT">
                  SSLOptions +StdEnvVars
            </Directory>
            SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
            CustomLog C:/WEB_ROOT/logs/ssl_request.log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
      </VirtualHost>
</IfModule>

0
 
LVL 10

Accepted Solution

by:
PSSUser earned 63 total points
ID: 17245552
I've not used some of the SSL related directives you've got there. I've only recently started dealing with apache myself and spent some time understanding the basics that I needed and removing the rest.

For bear bones SSL part of the config you may want to take a look at my answer to
http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21907117.html
You could probaly do away with most of the stuff you have in your
<IfModule mod_ssl.c> section in favour of what I've detailed there (I would suggest copying your config first just to be on the safe side).

Just bear in mind as you want a port other than 443 you will have to later the listen and VirtualHost directives. I'd suggest you us 8443 instead.

The files you may need to download should go in whatever folder is set as your document root. Looking at your config this would be C:/WEB_ROOT. One thing to bear in mind if you want the server to run in http and https you may want a different document root for secure otherwise the content could be accessible via http (unless other factors such as permission setting within the virtualhost contains restrict it).

How to test it - set it up with a self signed certificate as described in my answer I've pointed you to above. Then restart the server and visit https://00.000.00.0:1111/
0
 
LVL 9

Author Comment

by:jhshukla
ID: 17417087
pardon the delay in closing the question; the project kept getting postponed and is now sorta abandoned.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now