Difference between revisions of "Apache"
m (Reverted edits by JasonAnderson (talk) to last revision by PhilippeTeuwen) |
|||
(9 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
===Activate ssl module=== |
===Activate ssl module=== |
||
a2enmod ssl |
a2enmod ssl |
||
+ | ====New==== |
||
⚫ | |||
+ | * Generate certificates, new method (from ssl-cert package): |
||
+ | make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem |
||
+ | Little problem: by default the certificate is valid only 30 days, see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821 bugreport], you've to edit make-ssl-cert script and add "-days" options, e.g: |
||
+ | openssl req -days 1024 ... |
||
+ | * Verify generated certificate |
||
+ | openssl x509 -text -in /etc/apache2/ssl/apache.pem |
||
+ | * Add apache2 config |
||
+ | zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz > /etc/apache2/sites-available/default-ssl |
||
+ | Edit default-ssl... |
||
+ | ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/ |
||
+ | |||
+ | To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines: |
||
+ | SSLCipherSuite HIGH:MEDIUM:!ADH |
||
+ | SSLProtocol all -SSLv2 |
||
+ | cf http://httpd.apache.org/docs/2.0/mod/mod_ssl.html |
||
+ | ====[[CAcert]]==== |
||
+ | To add those certificates you also need to add the chain certificates from CAcert and to add to your config: |
||
+ | SSLCertificateChainFile /etc/apache2/ssl/CAcert_chain.pem |
||
+ | cf details in [[CAcert]] |
||
+ | |||
+ | ====Old==== |
||
⚫ | |||
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr |
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr |
||
openssl rsa -in privkey.pem -out mydomain.key |
openssl rsa -in privkey.pem -out mydomain.key |
||
Line 20: | Line 42: | ||
ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled |
ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled |
||
+ | |||
+ | For multiple canonical names, see these [http://www.stunnel.org/examples/mult_cannonical.html Notes on generating certificates with multiple canonical names] |
||
===Enable reverse-proxy=== |
===Enable reverse-proxy=== |
Latest revision as of 16:02, 2 March 2016
Apache2
Activate ssl module
a2enmod ssl
New
- Generate certificates, new method (from ssl-cert package):
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Little problem: by default the certificate is valid only 30 days, see bugreport, you've to edit make-ssl-cert script and add "-days" options, e.g:
openssl req -days 1024 ...
- Verify generated certificate
openssl x509 -text -in /etc/apache2/ssl/apache.pem
- Add apache2 config
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz > /etc/apache2/sites-available/default-ssl
Edit default-ssl...
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/
To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:
SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2
cf http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
CAcert
To add those certificates you also need to add the chain certificates from CAcert and to add to your config:
SSLCertificateChainFile /etc/apache2/ssl/CAcert_chain.pem
cf details in CAcert
Old
- Generate certificates, manual method:
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr openssl rsa -in privkey.pem -out mydomain.key openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650 openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER
- Install mydomain.crt and mydomain.key in /etc/apache2/ssl/
cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available gunzip ssl.conf.gz mv ssl.conf mydomain_ssl strip it... TODO SSLCertificateFile /etc/apache2/ssl/mydomain.crt SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key <VirtualHost my_ip:443>
- /etc/apache2/ports.conf:
Listen <my_ip>:443
ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled
For multiple canonical names, see these Notes on generating certificates with multiple canonical names
Enable reverse-proxy
a2enmod rewrite a2enmod proxy a2enmod proxy_http
Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 VirtualHost an inclusion rule:
Include /etc/apache2/proxy-enabled/
First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init
RewriteEngine On RewriteLog /var/log/apache2/rewrite.log <Proxy *> Order deny,allow Allow from all </Proxy>
Example of rules:
# Rules for https://foo.yobi.be # Here this was a service that had to be called with the index.htm explicitely so we redirect the browser RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$ RewriteCond %{REQUEST_URI} ^/?$ RewriteRule ^/? /index.htm [R] # Then the real rule: RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$ RewriteRule ^/(.*) http://twilight.zone/$1 [P] ProxyPassReverse / http://twilight.zone/
# Rules for https://www.yobi.be/foo # Here this was a service that had to be called with the index.htm explicitely so we redirect the browser RewriteCond %{REQUEST_URI} ^/foo/?$ RewriteRule ^/foo/? /foo/index.htm [R] # Then the real rule: RewriteCond %{REQUEST_URI} ^/foo.* RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P] ProxyPassReverse / http://twilight.zone/
To understand RewriteCond, see the mod_rewrite documentation
Older notes
Activate a module
- Find the module name, try
ls /usr/lib/apache/1.3/*.info|sed 's/^[^_]*_\(.*\)\.info/\1/'
- apache-modconf apache enable module name
E.g. apache-modconf apache enable libproxy
Setup proxy HTTP1.1 with Apache 2
- libapache2-mod-proxy-html
These are very old notes
HTTPS
cf LM53 p68
cd /opt/httpd/httpd/conf # clef RSA: mkdir ssl.key cd ssl.key openssl gensra -des3 -out server.key 1024 openssl rsa -in server.key -out server.key.unsecure mv server.key server.key.encrypted mv server.key.unsecure server.key cd .. # certificat (CSR): mkdir ssl.csr cd ssl.csr openssl req -new -key ../ssl.key/server.key.encrypted -out server.csr # ! CommonName = the exact name server following https:// cd .. # clef RSA de la CA: cd ssl.key openssl gensra -des3 -out ca.key 1024 openssl rsa -in ca.key -out ca.key.unsecure mv ca.key ca.key.encrypted mv ca.key.unsecure ca.key cd .. # certificate x.509 mkdir ssl.crt cd ssl.crt openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key.encrypted -out ca.crt # ! CommonName = another name than yours cd .. # signature of certificate mkdir tmp cd tmp cp ../ssl.key/*key . cp ../ssl.crt/ca.crt . cp ../ssl.csr/server.csr . sh sign.sh server.csr mv server.crt ../ssl.crt/ rm -rf tmp cd ssl.crt chmod 600 *
sign.sh: cf sources de mod_ssl, rep pkg.contrib
/usr/share/doc/libapache-mod-ssl/examples/sign.sh
#!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo "Usage: sign.sign <whatever>.csr"; exit 1 fi if [ ! -f $CSR ]; then echo "CSR not found: $CSR"; exit 1 fi case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; * ) CERT="$CSR.crt" ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = . certs = \$dir new_certs_dir = \$dir/ca.db.certs database = \$dir/ca.db.index serial = \$dir/ca.db.serial RANDFILE = \$dir/ca.db.rand certificate = \$dir/ca.crt private_key = \$dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT # sign the certificate echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0