O'Reilly Book
Excerpts: Apache: The Definitive Guide, 2nd Edition
Securing Your Apache Server
by Ben Laurie and Peter Laurie
An excerpt from Chapter 3, "Security," of
Apache: The Definitive Guide, 2nd Edition.
Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building,
configuring, and securing an SSL-enabled Apache server under Unix.
Secure Sockets Layer: How to do it
The object of what follows is to make a version of Apache that handles
the HTTPS (HTTP over SSL) protocol. Currently this is only available in
Unix versions, and given the many concerns that exist over the security
of Win32, there seems little point in trying to implement SSL in the
Win32 version of Apache.
The first step is to get hold of the appropriate version of Apache; see
Chapter 1, Getting Started, and the Apache-SSL home page at for
current information. Download the source code and expand the files in
some suitable directory. An src subdirectory will appear. So
far, so good.
The next, and easiest step of all, is to decide whether you are in the
United States and Canada or the rest of the world. Then follow these
guidelines:
- In the United States and Canada
-
You have two choices. You can get a commercial SSL-enabled web server,
or you can do what the rest of the world does (see below), noting only
that you need to get a license to use RSA's patents if you want to make
money out of your SSL-enabled Apache.
- In the rest of the world
-
If your deliberations lead you to believe that you live in the rest of
the world, proceed as described in the following sections.
Get SSLeay
The first thing to do is to get SSLeay. SSLeay is a a freely available
library, written by the Australian Eric Young, which does pretty much
everything cryptological that the most secretive heart could desire. We
went to
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ (which seems to
belong to the psychology department of the University of Queensland,
Australia, and why should we quibble?), downloaded
SSLeay-0_9_0b_tar.gz since it looked the freshest, and put it
into /usr/local/etc/SSL. We uncompressed it with:
% gzip -d SSLeay-0_9_0b_tar.gz
% tar xvf SSLeay-0_9_0b_tar
producing a surprising amount of stuff in a subdirectory
SSLeay-0.9.0b . Go there. First, read INSTALL, which describes
a configuration process not unlike that for Apache, but somewhat
rougher. Things will go more smoothly if you have already liberated Perl
and it is in /usr/local/bin. The script will put SSL in
/usr/local/bin;if you don't like this, you can change its home.
You are told to run ./Configure system type but, slightly
alarmingly, INSTALL doesn't tell you what the possible system types are.
However, we remember that if anything goes wrong, we can just go back to
the top directory, run tar again to start over, and boldly type:
% ./Configure
A list of systems appears, among which is FreeBSD and, we hope, yours.
We ran ./Configure again:
% ./Configure FreeBSD
This sets up a number of system variables and reports them to the
screen. As long as there is not an obvious error, we don't really care
what it says. INSTALL then tells us to tidy up the place, make SSL, make
the test certificate, and test the result by using these four commands:
% make clean
% make
% make rehash
% make test
Again, a lot of prattle outputs to the screen that is probably really
interesting if you are Eric Young, and less fascinating otherwise. The
output ends with a printout of your signed certificate,
newcert.pem.
And then we perform the final step recommended in INSTALL:
% make install
It turned out that ssleay hadn't been installed in
/usr/local/bin as promised, but was in
/usr/local/ssl/bin. This may have been fixed by the time you do
all this, but if not, add the new directory to your path. Just how you
do this depends on the shell you are running, so we won't confuse you
with advice that may be inappropriate. See your administrator in case of
difficulty.
Get the Apache-SSL Patch
It is important that if you have already made Apache you should delete
the whole directory with:
% rm -R apache directory
To answer a FAQ:
No, Apache-SSL cannot be a pure module; the Apache API is not powerful
enough to permit that.
Reexpand the original Apache .tar file to create a complete
directory (see the section Making Apache Under Unix, in Chapter
1) and download the Apache-SSL patch file from Oxford University:
ftp://ftp.ox.ac.uk/pub/crypto/SSL/ or one of the mirror
sites. It is important that the file you download is as new as you can
get and matches the Apache version you have just expanded. The reason
you should reexpand Apache is that Apache-SSL has to patch the source of
Apache, so it must be "as-new." *
In our case we got apache_1_3_1+ssl_1_22_tar.gz, copied it into
the .../apache/apache_1.3.1 subdirectory (not the .../src
subdirectory, as in the previous edition), and expanded it with:
% gzip -d apache_1_3_1+ssl_1_22_tar.gz
% tar xvf apache_1_3_1+ssl_1_22_tar
You find a number of *.SSL files. The immediately interesting
one is README.SSL, written by one of the authors of this book
(BL), which you should, of course, read.
Make the Patch
The next step is to do as instructed in README.SSL:
% ./FixPatch
Note: Some operating systems (notably Solaris) come with an exceedingly
out-of-date version of patch, which doesn't work properly with
Apache-SSL's patch files. The current version of patch at the time of
writing is 2.5.
You will be asked if you want the patch applied, to which you reply y. A
good deal of chat ensues on the screen, but as long as it does not stop
with an error, all is well.*
patch is a Unix utility. If you get the message:
Looks like a new style context diff
File to patch:
and not much else, you may have an out-of-date version of patch. You can
get the version number by typing:
% patch -version
If you have a version earlier than 2.1, you need to upgrade. If you have
2.5 and you still have problems, you may find that:
% patch -pl < SSLpatch
will work.
A useful site, which has FAQs about Apache-SSL, is
http://www.apache-ssl.org.
Rebuild Apache
You then have to rebuild Apache. Since you have replaced all the files,
including the original Configuration, you may want to copy the version
you saved in the top directory (see Configuration Settings and
Rules, in Chapter 1) back down. Check that this line in this file
has been correctly altered:
SSL_BASE=<current location of SSL>
This should be the directory where SSLeay has unpacked itself -- in our
case /usr/local/etc/SSL/SSLeay-0.9.0b.
Run ./Configure to remake the Makefile, and then
make to compile the code. The end result, if all has gone well,
is an executable: httpsd. Copy it into /usr/local/bin
next to httpd.
[1] [2] [3] Next
