Web Server Management: Securing Access to Web Servers | ||
---|---|---|
Prev | Chapter 4. Configuring Apache to support TLS | Next |
We can convert the basic configuration into one that supports an HTTPS site. We do this by listening on port 443 in place of port 80, loading the ssl_module, and amending the virtual host definition.
User wwwrun Group www # Load the modules needed for this file LoadModule mime_module /usr/lib/apache2/mod_mime.so LoadModule dir_module /usr/lib/apache2/mod_dir.so LoadModule setenvif_module /usr/lib/apache2/mod_setenvif.so LoadModule log_config_module /usr/lib/apache2/mod_log_config.so Options None # Set up MIME content type recognition TypesConfig /etc/mime.types # Enable default documents for directory queries DirectoryIndex index.html # Setup Logging LogFormat "%h %l %u %t \"%r\" %>s %b" clf # Listen on port 443 (default https) Listen 443 # Include the SSL module LoadModule ssl_module /usr/lib/apache2-prefork/mod_ssl.so <VirtualHost *:443> ServerName www.dept.cam.ac.uk DocumentRoot /srv/www/WWW-SECURE CustomLog /var/log/apache2/www.log clf # Minimal SSL configuration SSLEngine On SSLCertificateFile /etc/apache2/ssl.crt/WWW.crt SSLCertificateKeyFile /etc/apache2/ssl.key/WWW.key </VirtualHost>
We will need to install this new configuration file, and to ensure that the certificate and key files are in place.
However as things stand there will be a problem: Apache
will be unable to access the key since doing so requires the
pass phrase. Apache can prompt for the pass phrase if it needs
it, but this assumes a human operator will always be available
when Apache starts up and this can be inconvenient, for example
after a power failure. There are various solutions to this
problem (see the SSLPassPhraseDialogue
directive), but they all involve storing a copy of the pass
phrase somewhere. An alternative solution is to make a single
copy of the key without its protecting pass phrase directly into
the server's configuration directory. Under Unix, this file only
needs to be readable by root and this may represent sufficient
protection for many applications. To do this we use
openssl's rsa sub-command
again.
# cp WWW.crt /etc/apache2/ssl.crt/ # (umask 077; openssl rsa -in WWW.key -out /etc/apache2/ssl.key/WWW.key) Enter pass phrase for WWW.key:password
After a further restart, we can now access the new secure site.