Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
APACHE using SSL
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
KraziKid
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 128

PostPosted: Sun Feb 02, 2003 1:44 am    Post subject: APACHE using SSL Reply with quote

I just set up apache using ssl and php following the directions in the Dekstop Doc, and had a few questions. How do I make it so a webpage is only accessible through SSL, using https://, and not both http:// and https://? Also, how do I make it so a webpage requires a log in? I know these are n00b web questions, but I'm used to programming in High Level languages, and not Markup langauges. So if anyone can help, it would be appreciated.
Back to top
View user's profile Send private message
kashani
Advocate
Advocate


Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco

PostPosted: Sun Feb 02, 2003 5:14 am    Post subject: SSL only pages Reply with quote

Step 1: Edit your /etc/apache/conf/apache.conf file and comment out the following lines.

Port 80
Listen 80

Step 2: Create a password file and a username.

htpasswd -c /path/to/htpasswd/file username_to_add

to add additional users it's

htpasswd /path/to/htpasswd/file username

You'll want to put this in folder that isn't in the avaible to users via the web. I put mine in a fie I created, /home/httpd/private/admins

Just don't put it anywhere inside your htdocs dir.

Step 3: create the .htaccess file in the dir you want to protect.

cd /home/httpd/htdocs/
vi .htaccess and write the following lines

AuthType Basic
AuthName ByPassword
AuthUserFile /path/to/htpasswd/file
require valid-user

Step 4: Create a better SSL cert. Some browsers don't like the default cert, best to fix that off the bat.

cd /etc/apache/conf/ssl

a. create the key using a pass phrase
openssl genrsa -des3 -out secure.key 1024

b. make a unsecure copy of your key
openssl rsa -noout -text -in unsecure.key

c. decide whether you want to use a secure or unsecure key. The unsecure will load without any problems. The secure key will require your key phrase or ssl won't load. I recommend using the clear text key especially if self generating a crt.

cp unsecure.key server.key

or

cp secure.key server.key
rm unsecure.key

d. generate a cert
openssl req -new -x509 -days 365 -key server.key -out server.crt

Step 5
You must stop and then start apache for this to take affect.

This is a pretty bare bones installtion, not overly secure, but it'll work and be good enough for most situations.

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.
Back to top
View user's profile Send private message
KraziKid
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 128

PostPosted: Sun Feb 02, 2003 5:41 am    Post subject: Reply with quote

Thank's that worked perfectly. One thing didn't work though, I could not create an unsecure certificate, but I don't mind because I want it to be secure. But thanks again. Also, do I always have to enter the passphrase on apache startup? I usually try to keep my server up as long as possible, but was wondering if when rebooted, does it ask me for the passphrase, or just load? And, is there a way to bypass that so I do not have to enter the password on apache startup, or is that a security feature?

Edit: Nevermind, I figured out what you meant on how when you use an unsecure test key, apache does not ask for the pass to start up. But one thing, I needed to modify your unsecure key generator to say:
Code:

openssl rsa -text -in secure.key -out unsecure.key

I hope I did this right, but it works. So, thanks again.
Back to top
View user's profile Send private message
kashani
Advocate
Advocate


Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco

PostPosted: Sun Feb 02, 2003 6:09 am    Post subject: Reply with quote

KraziKid wrote:
I usually try to keep my server up as long as possible, but was wondering if when rebooted, does it ask me for the passphrase, or just load? And, is there a way to bypass that so I do not have to enter the password on apache startup, or is that a security feature?


SSL will not load without the key. There are three ways to deal with the above.

1. use the clear text key and apache will load automatically. You can lock down the permissions of the files so only root can read them.

2. Put the password in manually when you start the server.

3. Create a script and change the... uh... SSHdialog something or another directive in /etc/apache/conf/addon-modules/mod_ssl.conf. Of course the key phrase will be in your script somewhere so this isn't much better then 1 without some heavy scripting.

Since you're using an unverified certificate (you didn't pay verisign) or anything it's probably not a big deal to go with method number 1. The only reason to go after a crt is to spoof your box to the rest of the internet, which someone could just create on their own unless you get a real crt.

Can you tell what I spent a large part of the week working on? :-)

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.
Back to top
View user's profile Send private message
KraziKid
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 128

PostPosted: Sun Feb 02, 2003 6:17 am    Post subject: Reply with quote

kashani wrote:

Can you tell what I spent a large part of the week working on? :-)

kashani


Yeah, LOL. Thanks again. One more quick thing though. Did I edit your code properly to create the unsecure plain text key?

Here's what I made it to:
Code:

openssl rsa -text -in secure.key -out unsecure.key

and here is what you said:
Code:

openssl rsa -noout -text -in unsecure.key

Your's did not work, so I decided to play around, and the way I did it produced results. So I was wondering if what I did was what you meant?
Back to top
View user's profile Send private message
kashani
Advocate
Advocate


Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco

PostPosted: Sun Feb 02, 2003 6:28 am    Post subject: sslstuff Reply with quote

I stole all my info from this site which has much more info on this.

http://www.iu.hio.no/~mark/WebCourse/node25.html

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.
Back to top
View user's profile Send private message
rizzo
Retired Dev
Retired Dev


Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA

PostPosted: Wed Mar 26, 2003 2:10 pm    Post subject: Reply with quote

A friend has directed me to the script at /usr/lib/ssl/mod_ssl/gentestcrt.sh. It generated the two files needed and is working great for me (once I remembered to forward port 443 to my webserver :p)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum