Difference between revisions of "Apache"

From YobiWiki
Jump to navigation Jump to search
m (Reverted edits by JasonAnderson (talk) to last revision by PhilippeTeuwen)
 
(6 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
===Activate ssl module===
 
===Activate ssl module===
 
a2enmod ssl
 
a2enmod ssl
  +
====New====
 
 
* Generate certificates, new method (from ssl-cert package):
 
* Generate certificates, new method (from ssl-cert package):
 
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
 
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Little problem: by default the certificate is valid only 30 days, see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821 bugreport], you've to edit make-ssl-cert script
+
Little problem: by default the certificate is valid only 30 days, see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821 bugreport], you've to edit make-ssl-cert script and add "-days" options, e.g:
  +
openssl req -days 1024 ...
 
* Verify generated certificate
 
* Verify generated certificate
 
openssl x509 -text -in /etc/apache2/ssl/apache.pem
 
openssl x509 -text -in /etc/apache2/ssl/apache.pem
  +
* Add apache2 config
  +
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz > /etc/apache2/sites-available/default-ssl
  +
Edit default-ssl...
  +
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/
  +
  +
To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:
  +
SSLCipherSuite HIGH:MEDIUM:!ADH
  +
SSLProtocol all -SSLv2
  +
cf http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
  +
====[[CAcert]]====
  +
To add those certificates you also need to add the chain certificates from CAcert and to add to your config:
  +
SSLCertificateChainFile /etc/apache2/ssl/CAcert_chain.pem
  +
cf details in [[CAcert]]
  +
  +
====Old====
 
* Generate certificates, manual method:
 
* Generate certificates, manual method:
 
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr
 
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr

Latest revision as of 16:02, 2 March 2016

Apache2

Activate ssl module

a2enmod ssl

New

  • Generate certificates, new method (from ssl-cert package):
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, see bugreport, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...
  • Verify generated certificate
openssl x509 -text -in /etc/apache2/ssl/apache.pem
  • Add apache2 config
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz > /etc/apache2/sites-available/default-ssl

Edit default-ssl...

ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/

To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2

cf http://httpd.apache.org/docs/2.0/mod/mod_ssl.html

CAcert

To add those certificates you also need to add the chain certificates from CAcert and to add to your config:

SSLCertificateChainFile /etc/apache2/ssl/CAcert_chain.pem

cf details in CAcert

Old

  • Generate certificates, manual method:
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr
openssl rsa -in privkey.pem -out mydomain.key
openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650
openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER
  • Install mydomain.crt and mydomain.key in /etc/apache2/ssl/
cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available
gunzip ssl.conf.gz
mv ssl.conf mydomain_ssl
strip it... TODO
SSLCertificateFile /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
<VirtualHost my_ip:443>
  • /etc/apache2/ports.conf:
Listen <my_ip>:443
ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled

For multiple canonical names, see these Notes on generating certificates with multiple canonical names

Enable reverse-proxy

a2enmod rewrite                                                                     
a2enmod proxy                                                                       
a2enmod proxy_http                                                                  

Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 VirtualHost an inclusion rule:

Include /etc/apache2/proxy-enabled/

First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init

RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
<Proxy *>
 Order deny,allow
 Allow from all
</Proxy>

Example of rules:

# Rules for https://foo.yobi.be

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteCond %{REQUEST_URI} ^/?$
RewriteRule ^/? /index.htm [R]
# Then the real rule:
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteRule ^/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
# Rules for https://www.yobi.be/foo

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{REQUEST_URI} ^/foo/?$
RewriteRule ^/foo/? /foo/index.htm [R]
# Then the real rule:
RewriteCond %{REQUEST_URI} ^/foo.*
RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/

To understand RewriteCond, see the mod_rewrite documentation

Older notes

Activate a module

  • Find the module name, try
ls /usr/lib/apache/1.3/*.info|sed 's/^[^_]*_\(.*\)\.info/\1/'
  • apache-modconf apache enable module name


E.g. apache-modconf apache enable libproxy

Setup proxy HTTP1.1 with Apache 2

  • libapache2-mod-proxy-html


These are very old notes

HTTPS

cf LM53 p68

cd /opt/httpd/httpd/conf
# clef RSA:
mkdir ssl.key
cd ssl.key
openssl gensra -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key server.key.encrypted
mv server.key.unsecure server.key
cd ..
# certificat (CSR):
mkdir ssl.csr
cd ssl.csr
openssl req -new -key ../ssl.key/server.key.encrypted -out server.csr
# ! CommonName = the exact name server following https://
cd ..
# clef RSA de la CA:
cd ssl.key
openssl gensra -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key ca.key.encrypted
mv ca.key.unsecure ca.key
cd ..
# certificate x.509
mkdir ssl.crt
cd ssl.crt
openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key.encrypted -out ca.crt
# ! CommonName = another name than yours
cd ..
# signature of certificate
mkdir tmp
cd tmp
cp ../ssl.key/*key .
cp ../ssl.crt/ca.crt .
cp ../ssl.csr/server.csr .
sh sign.sh server.csr
mv server.crt ../ssl.crt/

rm -rf tmp
cd ssl.crt
chmod 600 *

sign.sh: cf sources de mod_ssl, rep pkg.contrib
/usr/share/doc/libapache-mod-ssl/examples/sign.sh

#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0