6.3 OpenSSL and Apache (Cont.) - Page 5
June 28, 2002
6.3.5 Configure and test
If you let make install create an httpd.conf file, open it and restore your
changes to the original for mod_perl and CGI. mod_ssl also will add a new port
number section such as:
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
The Listen directive tells Apache to open additional ports for requests. Port 443 is
the standard port for HTTPS (secure HTTP), just as port 80 is the standard for regular
HTTP traffic. If your server is listening on some other port for HTTPS, you'll need
to specify the port number as part of the URL.
There should also be a new section in the virtual host configuration that looks
something like this:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName secure.example.site
ServerAdmin theo@example.site
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
# Enable/Disable SSL for this virtual host.
SSLEngine on
</VirtualHost>
Apache's VirtualHost sections create a sort of server within a server; the parameters
to the directive tell Apache when incoming requests are intended for the virtual
host. This is typically done by IP address, but can be managed by host name or by
port number as shown here. mod_ssl uses a virtual host section to contain directives
that apply only to secure HTTP.
A virtual host can have its own document root and log files, and directives placed
in this section will apply only to requests for that host. Thus in this case requests that
are sent to port 443 will share the usual log files with those sent to port 80, but any
error messages will identify the server as secure. example. site. Most importantly, the
directive SSLEngine turns on SSL communications for port 443.
You can use this section to configure rules that apply only to secure requests.
This is a good way to set up applications that require SSL, or to direct users to different
applications depending on how they connect. Later we'll use this trick to
have one URL display two different pages depending on whether the user makes a
secure connection.
After checking and changing your configuration, you are ready to restart Apache.
First bring it up in nonsecure mode:
/usr/local/apache/bin/apachectl start
You should be able to browse the default Apache splash page with your browser. If you
have reconfigured your mod_perl and CGI scripts they should work as they did before.
Now shut down Apache and restart it with SSL enabled:
/usr/local/apache/bin/apachectl startssl
If you encrypted your temporary certificate during the installation, apachectl will
prompt you for your pass phrase when you start the server. That's great for security
but not practical for a server that needs to be started from a script at boot time. To
decrypt your certificate, use the openssl utility that was built as part of OpenSSL:
cd /usr/local/apache/conf/ssl.key
cp server.key server.key.crypt
/usr/local/openssl-0.9.5a/apps/openssl rsa -in server.key.crypt -out
server.key
Apache will now start without asking for the pass phrase. Make sure that
server.key is owned by root and that only root can read it.
When Apache starts correctly with SSL enabled you have a secure server. Tell your
browser to open https://www.example.site/ to see the default page. Note that URLs
beginning with https are directed to port 443 automatically; if you have Apache listening
on a different port, you'll need to include the port number in the URL.
The rest of your applications should work fine. Your code can check the HTTPS
environment variable to determine if it is running in a secure session:
if ($ ENV{ 'HTTPS'}) {
print 'SSL session';
}
else {
print 'Not secure';
}
But we're getting ahead of ourselves. We want a secure channel so we can handle sensitive
information, which nearly always means we want to handle user data (as
defined in the last chapter). We'll start by identifying the users.
6.3 OpenSSL and Apache (Cont.) - Page 4
Web Development with Apache and Perl
6.4 User Authentication - Page 6
|
