wiki:apache

Apache Web

Apache httpd with ViewVC

In the book, the apache user is created with the home directory /dev/null. This default setting works perfectly, until ViewVC is installed. ViewVC tests whether the home directory exists. If so it looks for it, and not finding it makes the program fail.

A quick fix is to change the home directory of user apache to anything non-existant, however an empty directory also works.

Note that a directory named .subversion will be created under the home directory. Make sure the home directory is writable for user apache.


Apache with LDAP (and SSL) support

Of course, OpenSSL and OpenLDAP must be on your system. You can follow the instructions on BLFS book.

patch -Np1 -i ../httpd-2.2.4-config-1.patch &&
./configure --enable-layout=FHS \
            --enable-mods-shared=all \
            --enable-authnz-ldap \
            --enable-ssl \
            --with-ssl=/etc/ssl \
            --with-ldap \
            --enable-ldap &&
sed -i -e "s%EXTRA_INCLUDES = -I.%EXTRA_INCLUDES = -I/usr/include -I.%g" \
    build/config_vars.mk &&
make &&
make install &&
chown -v root:root /usr/lib/apache/httpd.exp \
    /usr/sbin/{apxs,apachectl,dbmmanage,envvars{,-std}} \
    /usr/share/man/man1/{dbmmanage,ht{dbm,digest,passwd}}.1 \
    /usr/share/man/man8/{ab,apachectl,apxs,htcacheclean,httpd}.8 \
    /usr/share/man/man8/{logresolve,rotatelogs,suexec}.8 &&
chown -v -R apache:apache /srv/www

During the build, the "/usr/include" directory isn't included, the "sed" command is a small workaround.


Multiple SSL Certificates, one IP and port vi SNI

Yes, contrary to what you've read, it is possible, but only if the client supports it. Fortunately, Firefox-2.x, Opera-7.6+, and IE-7 and 8 (on Vista only) do support SNI, or Server Name Indication. This allows the client to send, in addition to the negotiation, the name of the target server during the initial handshake. OpenSSL added the TLS extensions in OpenSSL-0.9.8f and must be enabled by the Configure switch 'enable-tlsext'. Apache has supported SNI by default for some time, so no changes are necessary to your existing httpd config apart from supplying the correct certs under the virtual hosts entries instead of top level.


Setting up SSL with Apache httpd

I get sick of searching for this information every time I build a new server, so I thought a good write-up would be useful here.

First, create a private RSA signing key:

openssl genrsa -des3 -out <host>.<domain>.<tld>.private.key 2048

Next, you'll need an unsecured key for use by Apache HTTPD. If you elect not to create an unsecured key, then you'll have to enter the private key password every time you start httpd.

openssl rsa -in host.domain.tld.private.key -out <host>.<domain>.<tld>.unsecured.key

Finally, create the certificate signing request, to submit to your ssl provider.

openssl req -new -key <host>.<domain>.<tld>.private.key -out <host>.<domain>.<tld>.csr

Use the following guidelines:

        Country Name (2 letter code) [AU]:<AnyTwoLetterCountryCode>
        State or Province Name (full name) [Some-State]:<SomeStateOrProvinceSpelledOut>
        Locality Name (eg, city) []:<AnyCity>
        Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Your Full Company Name>
        Organizational Unit Name (eg, section) []:<FreeFormOUName>
        Common Name (eg, YOUR name) []:<host>.<domain>.<tld> (should match the FQDN of the host)
        Email Address []:<{h,p}ostmaster>@<domain>.<tld>

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []: <leave blank>
        An optional company name []: <leave blank>

Submit the CSR to your signing authority, and copy the contents of the generated certificate to <host>.<domain>.<tld>.crt. and place all needed files into the /etc/apache/certs directory. (You can also divide up the certs directory into further sites if needs be).

I use StartComLTD for free signed certificates. You will have to get their sub.class1 server certificate and use it in the key chain as well. All current browsers support StartComLTD's top level certificate and also support SNI (Server Name Indication) which will allow you to run multiple websites, with separate certificates, with only one IP. To use the free certificates, simply add the following to your httpd configuration for the virtual host (or at the top level if only one https site).

<VirtualHost *:443>
    ServerAdmin <hostmaster>@<domain>.<tld>
    DocumentRoot /srv/www/<host>/
    ServerName <host>.<domain>.<tld>
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/apache/certs/<host>.<domain>.<tld>.crt
    SSLCertificateKeyFile /etc/apache/certs/<host>.<domain>.<tld>.unsecured.key
    SSLCertificateChainFile /etc/apache/certs/sub.class1.server.ca.crt
    SSLCACertificateFile /etc/apache/certs/ca.crt
    <insert directory security and logging entries here>
</VirtualHost>

The ca.crt should no longer be necessary, however, browsers that do not include StartComLTD's CA in their distributed certificate chain will fuss without it. I don't know of any browsers left that do not. You can download the certificates from StartCom's site. From the Tool Box, click on "StartCom CA Certificates" and grab the "StartCom Root CA (PEM encoded)" and the "Class 1 Intermediate Server CA" certificates and save them in your certs directory.

Another thing...I usually divide up the certificates and use separate RSA's for each host (as do the commands above). This is not necessary, so you could omit 'host.' from the first two commands and from the first entry in the 3rd command if you like. If your RSA key is ever compromised (very unlikely), you would need to generate new certificates for all of your sites if you did it that way, hence the extra security level of generating RSA signing keys for each host. Some will say it is overkill, but when it comes to security, I prefer to err to the side of caution.

Up
Top

Last modified 13 years ago Last modified on 10/31/2009 07:25:50 AM
Note: See TracWiki for help on using the wiki.