Build a secure Apache with SSL

Source: Internet
Author: User
Tags test web server
Use SSL to build a secure Apache-Linux Enterprise Application-Linux server application. The following is a detailed description. I. Introduction

This article describes how to combine Apache with SSL (Secure Socket Layer) to install the configuration. As we all know, it is quite insecure to transmit sensitive information in plain text on the network. Therefore, SSL provides an encryption method to provide services and encryption solutions for upper-layer protocols at the underlying layer, therefore, when a user transmits data over HTTP, it is difficult to obtain data information. Of course, encryption is only in the transmission process and completely transparent to users.
  
Let's get started ......
  
2. Preparations
  
If your system is installed from scratch, we recommend that you set aside a partition named/chroot to run Apache. The size of this partition depends on you. Generally, 40 MB for a common website is enough. However, if your system has run Apache for a long time, you can open up another partition, or choose not to use independent partitions for installation, just open a directory under the root.
  
In addition, I assume that your system has passed certain security checks-before installing Apache (if there are other vulnerabilities, what do you think of Apache running on it, under the so-called nest covering, the detection should at least include (but not limited to) the removal of insecure SUID programs, the upgrade of some daemon processes, and the removal of unnecessary services. It is also assumed that your web server runs TCP/IP and has its own address.
  
Iii. Platform
  
The following tests are performed on the following platforms:
  
1. Slackware 4.x distribution using gcc 2.7.2.3 and Perl v5.005 _ 02
  
2. Solaris 7 on iSCSI using gcc v2.8.1 and Perl v5.005 _ 03
  
4. obtain the required software
  
Because Apache does not have SSL in her package, we must first download the required parts of these encrypted Web pages:
  
1. Apache Web Server-http://www.apache.org/dist/
  
Needless to say, we certainly need to obtain this web server. The current version is 1.3.11, and Apache is the most widely used web server in the world.
  
2. mod_ssl-http://www.modssl.org
  
This is a software module that provides strong encryption for Apache1.3.x web server. It uses SSL v2 and v3 as well as TLS (Transport Layer Security) v1 protocols. This software package is developed under the BSD license. In non-commercial cases, you can use it freely. It is very easy to determine which version of mod_ssl to use, the version number is in-format. That is to say, if you use Apache 1.3.11, you should use mod_ssl of 2.50-1.3.11.
  
3. mod_perl-http://perl.apache.org/dist/
  
4. Open SSL-http://www.openssl.org
  
This software package provides encryption protection for SSL v2/v3 (Secure Sockets Layer) and TLS v1 (Transport Layer Security) protocols.
  
5. RSAref: search for "rsaref20.tar. Z" using the search engine.
  
We will install these programs in the/usr/local directory and add functional modules to give Apache more powerful functions. If you need more modules, you can get them and load them by yourself, for example, the mod_php module is also popular now. Apache can provide php script support ......
  
V. Installation of software packages
  
Before actual installation, we need to determine the environment in which we will install the web server. For a person with high security requirements, we can install the server and software in the chroot environment, chroot changes the root directory and only executes programs in this directory. This provides a built-in small environment, even if the intruder has obtained system access permissions through cgi programs or other methods through port 80, it can only be active in this restricted environment, from a security perspective, this is of course the best, but for the system administrator, it is relatively difficult to install this, and some necessary libraries, perl and related tools must also be moved to the chroot, so -- you can decide on your own. Here we will introduce the installation under chroot.
  
Expand these software packages:
  
# Gzip-d-c apache_1.3.11.tar.gz | tar xvf-
  
# Gzip-d-c mod_ssl-2.5.0-1.3.11.tar.gz | tar xvf-
  
# Gzip-d-c openssl-0.9.4.tar.gz | tar xvf-
  
# Gzip-d-c mod_perl-1.21.tar.gz | tar xvf-
  
Expand and compile rsaref
  
# Mkdir rsaref
  
# Cd rsaref
  
# Gzip-d-c ../rsaref1_tar. Z | tar xvf-
  
# Tar xvf rsaref.tar
  
# Cp-rp install/unix temp
  
# Cd temp
  
# Make
  
# Mv rsaref. a librsaref.
  
# Cd ../../
  
Compile OpenSSL
  
# Cd openssl-0.9.4
  
# Perl util/perlpath. pl/usr/bin/perl (Path to Perl)
  
#./Config-L 'pwd'/../rsaref/temp/
  
# Make
  
# Make test
  
# Cd ..
  
Add mod_perl to Apache compilation options
  
# Cd mod_perl-1.21
  
# Perl Makefile. PL APACHE_PREFIX =/usr/local/apache
APACHE_SRC = ../apache_1.3.11/src
USE_APACI = 1
  
You will get the following prompt:
  
Configure mod_perl with ../apache_1.3.11/src? [Y]
  
Press enter directly, which is the default yes
  
Then, Makefile will ask you if you want to create httpd. You can use n to choose NOT.
  
# Make
  
# Make install
  
# Cd ..
  
Add mod_ssl to Apache
  
# Cd mod_ssl-2.5.0-1.3.11
  
#./Configure -- with-apache = ../apache_1.3.11
-- Prefix =/usr/local/apache
-- With-ssl = ../openssl-0.9.4
-- With-rsa = ../rsaref/temp
-- Activate-module = src/modules/perl/libperl.
  
# Cd ..
  
Compile Apache:
  
# Cd apache_1.3.11
  
Before compilation, we can do one more thing-edit the file containing the http server version number so that the attacker who wants it cannot find its head
  
# Src/include/httpd. h
  
Find the following line (approx. 454) and change the server name and version number-you can use whatever you want to change.
  
Define SERVER_BASEVERSION "Apache/1.3.11"
  
Now you can compile Apache
  
# Make
  
Now you can generate a CA (actual certificate ).
  
# Make certificate
  
Follow the instructions on installing the authorization letter.
  
# Make install
  
This will install apache in/usr/local/apache.
  
Test whether the web server (SSL is not installed yet) is running normally ---- call the web server:
  
/Usr/local/apache/bin/apachectl start
  
When the WEB server runs, you can use lynx or any browser to connect to your port 80. If you can see the apache welcome page, it will be OK.
  
Stop server:
  
/Usr/local/apache/bin/apachectl stop
  
Test web server (starting with SSL at the same time)-call a WEB server with SSL
  
/Usr/local/apache/bin/apachectl startssl
  
When the server is running, you can use Netscape or other SSL-supported browsers to view the http://your.ip.here. Have you seen the welcome page?
  
To stop the SERVER:
  
/Usr/local/apache/bin/apachectl stop
  
Vi. Apache configuration
  
Now let's take a look at Apache's configuration file. Remember that if you make changes to it, it will not work until the httpd daemon is restarted. Well, now we can go to the/usr/local/apache/conf directory to check it.
  
Httpd. conf-
  
This is Apache's main configuration file. You can set the basic environment for server startup, such as the server startup mode, port number, and maximum number of allowed connections, the comments in this file are very detailed. It should be clear that there is no problem.
  
Access. conf-
  
This file is used to set the access mode and environment in the system, but now it can be set in httpd. conf, so we recommend that you leave it empty.
  
Srm. conf-
  
This guy is mainly responsible for setting resources. You can also leave it empty and just set related items in httpd. conf.
  
Restart the web server to make the change take effect:
  
#/Usr/local/apache/bin/apachectl restart
  
7. Set Apache to the chroot environment
  
Now let's move the created items to the chroot environment, including the Apache server and all required library files. Of course, as mentioned above, this part is optional. If you are afraid of trouble, you can forget it, but after the transfer, you can provide more reliable protection for your web server.
  
Create/chroot directory
  
# Mkdir/chroot
  
Create required subdirectories
  
# Mkdir/chroot/dev
  
# Mkdir/chroot/lib
  
# Mkdir/chroot/etc
  
# Mkdir/chroot/bin
  
# Mkdir/chroot/usr
  
# Mkdir/chroot/usr/local
  
Create/dev/null in our chroot
  
# Mknod-m 666/chroot/dev/null c 1 3
  
Copy Apache to the/chroot directory
  
# Cp-rp/usr/local/apache // chroot/usr/local
  
Copy required binary files
  
# Cp/bin/sh/chroot/bin
  
Determine which libraries are required-depending on which modules are built in your compilation
  
# Ldd/usr/local/apache/bin/httpd
  
Copy the required database to the chroot directory.
  
# Cp/lib/libm. */chroot/lib/
  
# Cp/lib/libgdbm. */chroot/lib
  
# Cp/lib/libdb. */chroot/lib
  
# Cp/lib/libdl. */chroot/lib
  
# Cp/lib/libc. */chroot/lib
  
Copy the library required for network connection
  
# Cp/lib/libnss */chroot

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.