Setting up Secure HTTP (HTTPS) with Apache and Apache-SSL By Ed, 8-1-99 updated 12-23-99 www.narced.com/linux Apache comes pre-installed in practically every linux distribution, but Apache-SSL (a.k.a. https) does not. I wrote this help file because the documentation on the net at the time of this writing is almost non-existant. There are no step-by-step directions anywhere! So, if you want to know how to set it up, read on... Also be sure to see my apache+mod_ssl help file. -=[ Files Needed ]=- First thing to do is DOWNLOAD. You will need the latest version of: Apache - because you're going to have to recompile/reinstall it, even if you already have it. As of this writing, the latest version is 1.3.6, and you can get it from www.apache.org. The file will be called something like: apache_1.3.9.tar.gz Apache-SSL - available at www.apache-ssl.org or one of its many mirrors and get apache_1.3.9+ssl_1.37 (current, as of this writing). OpenSSL - available at www.openssl.org (this also has many mirrors). This is what actually does the encryption and is free. It is based on SSLeay (www.ssleay.org), and will do 40-128 bit encryption. The latest version is 0.9.4 and the filename is: openssl-0.9.4.tar.gz OpenSSL is what I used. -=[ Installation ]=- STEP 1: Installing OpenSSL First thing to set up is OpenSSL (or its equivalent). It is fairly straightforward. Save the openssl-0.9.4.tar.gz to a directory (like /stuff, or something) and then extract the archive. If you have GNU tar (I haven't come across any linux's that don't have it), simply type: tar -xzvf openssl-0.9.4.tar.gz This will create an openssl-0.9.4 directory inside of your current directory. You can then type 'cd openssl-0.9.4' ('pwd' will show something like /stuff/openssl-0.9.4 once you're in the directory). I recommend you read through the readme and install files, but if you're like me, you don't want to. You just want to install the thing and play with it. Here are the commands that you can type, and it will probably work: [while in the /stuff/openssl-0.9.4 directory] ./config make make test make install Assuming no errors, that should do it. OpenSSL should be installed. STEP 2: Extracting Apache Once you have downloaded and saved apache, you next need to untar it. Type: tar -xzvf apache_1.3.9.tar.gz This will create an apache_1.3.9 directory inside of /stuff. Type: 'cd apache_1.3.9' - now you should be in the /stuff/apache_1.3.9 directory (you can type 'pwd' to verify this). Since we're installing Apache-SSL and not simply installing/reinstalling Apache, there is an extra step: STEP 3: Extracting Apache-SSL Copy or move the apache_1.3.9+ssl_1.37 file into the directory that apache_1.3.7.tar.gz is untarred into (if you're following my directory examples, it would be: 'cp apache_1.3.9+ssl_1.37 /stuff/apache_1.3.9'). Now, untar the apache-ssl file by typing: tar -xzvf apache_1.3.9+ssl_1.37 This will extract a few extra files/directories into the current untarred apache directory. Now, you just have to run a quick patch. There is a script included that worked great for me. Just type (from the /stuff/apache_1.3.7 directory): ./FixPatch This tiny script will just patch a few files so that when Apache compiles, it will include the SSL stuff. STEP 4: Compiling Apache This part is fairly easy. Just run the folloing commands (again. from within the /stuff/apache_1.3.9 directory if you're following my example): ./configure --PREFIX=/some/directory make make install Note the "--PREFIX=/some/directory" on the first line. This just tells it where to install apache. On most UNIX systems, it's in /var/www, however I see that on Linux it's in /var/lib/apache. I have no idea why. TIP: Install it into a directory that includes the version number in the name. Something like /var/apache-1.3.9+SSL seems like a good idea. Before you go on to the Configuration section, you may as well create your own certificate and copy it to the correct directory. Here's how: cd src ('pwd' will show /stuff/apache-1.3.9/src) ./Configure make make certificate This will create an 'httpsd.pem' file in some subdirectory (probably something like /stuff/apache-1.3.9/SSLconf/conf/httpsd.pem -- one directory UP from the 'src' directory). Find it and copy it over to where you have apache installed (like /var/www/SSLconf/conf/httpsd.pem). Remember where you put it -you'll have to refer to it later. -=[ Configuration ]=- Here comes the hard part. TIP: when something doesn't work and you get no error message, look at the error logs. These will be in some directory like: /var/log or maybe in /var/www/log. The files to look at are access_log, error_log, httpsd_access_log and httpsd_error_log. The httpsd.conf file that comes with Apache/Apache-SSL is useless. There is a bunch of stuff you have to add into the httpsd.conf file, and I've put that below. Aside from the SSL stuff, the httpsd.conf file looks exactly like the httpd.conf file. If you have configured your own httpd.conf file to do anything special, you may just want to copy that over to httpsd.conf and edit that (type: 'cp httpd.conf httpsd.conf'). ######### Add these lines to the httpsd.conf file # standard port for SSL Port 443 Listen 443 # Certificate stuff that had to be copied over SSLCACertificatePath /var/www/SSLconf/conf SSLCACertificateFile /var/www/SSLconf/conf/httpsd.pem SSLCertificateFile /var/www/SSLconf/conf/httpsd.pem SSLVerifyClient 0 SSLVerifyDepth 10 SSLFakeBasicAuth SSLCacheServerPath /var/www/bin/gcache SSLCacheServerPort /var/www/logs/gcache_port SSLCacheServerRunDir /tmp SSLSessionCacheTimeout 15 ################# end -=[ Running Apache ]=- Now, you're ready to run the httpd and httpsd daemons. This part is fairly easy. Get into Apache's bin directory (it was /var/www/bin on my system) and type: ./apachectl start <-- starts httpd ./httpsdctl start <-- starts httpsd -- or -- ./apachectl restart <-- restarts httpd ./httpsdctl restart <-- restarts httpsd To see if it's running, type: 'ps -auxef | more'. You should see a few instances of "httpd" and "httpsd". To test it, fire up Netscape and go to http://your.domain.or.ip.address and then https://your.domain.or.ip.address The second time, Netscape will start talking about accepting new certificates. That means its working! -=[ Extras ]=- Since Apache 1.3.3 (I think - maybe earlier), httpd/httpsd has restricted access to user's home directories that have no index.html file in them (meaning that if you try to go to http://server.com/~user, you will get a permission denied error). They've done this as a security precaution. To get that working again, pop in these lines anywhere in the httpd.conf/httpsd.conf file (used to be in the access.conf file): # make sure this location is correct! #Options Indexes Includes FollowSymLinks Options Indexes Includes # commented out symlinks so web-surfers can't AllowOverride None # follow symlinks though your filesystem order allow,deny allow from all