208.2. Apache configuration for HTTPS

208.2 Apache configuration for HTTPS

Weight: 3

Description: Candidates should be able to configure a web server to provide HTTPS.
Key Knowledge Areas:
    SSL configuration files, tools and utilities
    Generate a server private key and CSR for a commercial CA
    Generate a self-signed Certificate
    Install the key and certificate, including intermediate CAs
    Configure Virtual Hosting using SNI
    Awareness of the issues with Virtual Hosting and use of SSL
    Security issues in SSL use, disable insecure protocols and ciphers
Terms and Utilities:
    Apache2 configuration files
    /etc/ssl/, /etc/pki/
    openssl, CA.pl
    SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
    SSLCACertificateFile, SSLCACertificatePath
    SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
This lesson is almost theory, first lets review some concepts and then we will see how secure an apache web server using them.

Encryption and Decryption

Plaintext can be every thing a message, a file, a document , ... . Then it is encrypted using and Encryption Key and we would have Ciphertext. After transfer it would be Decrypted using Decryption Key (the same same key for Encryption) and as a result we would have the original plain text. The simplest for of Encryption( as above) use the same key for Encryption and Decryption is known as Symmetric Encryption. But the security is tied up to the security of the key, if some one get access to the key the whole afforts would be useless !
A Symmetric Encryption uses a public and private key pairs. Data Encrypted with either key can be Decrypted with the other.
usually one of the keys is made public and the other one is held private and typically stored in a file, and it is self encrypted with a passphrase which is need to be supplied if the private key is to be used.

Hashes

A hash is a one-way transformation.
    Variable lenght input , fixed lenght output.
    Can not "Reverse Enginner" the hash back to the orginal message.

Digital Signatures

Combining Public and private key with hashes create Digital Signatures. These Digital Signatures giva us high confidence that the file we have recived really have come from the person we think come from, and has n't been modifiend either by accident or maliciously, since it was signed.
One thing to notice about all of this, is we are asuming here, that the publickey we have obtained really is the public key of the creator who originate the document whith signature we trying to check.

The Secure Socket Layer (SSL)

Digital Signatures are used in Secure Sockets Layer, which is a Layer in protocol stack, it seats above the transfor Layer, and it verifies the server identity and negotiates asymmetric session key that will be used to encrypt all the traffic between the browser and the server.
In this diagram the browser and the server first communicate trough the regular TCP/IP protocol stack and that communication is not encrypetd(Insecure path).
SSL is a Layer above the transport Layer at the both client and server end and the hand shake is preformed when the SSL connection is made, it verifies the server identity and negotiate the asymmatric session key that gives us a secure path between the browser and the server
SSL relies on the use of Digital Certificates. And basically a Digital Certificates is a collection of information identifying a site, signed by some trusted tird party certification authority. Digital certificates contain:
    The issuer'd identity Certification Authority (CA)
    The site's domain name and public key
    expiry date
    The signature of the CA

So a web site needs to obtain digital certificate inroder to be able to offer secure service.

How SSL works with Apache ?

In The linux world all of these functionalities are done by using a couple of packages.

Open SSL

Open SSL is an open-source toolkit containing command-line tools and libraries that support a wide range of cryptographic operations related to ssl.
The openssl command can be used for:
    Creation and management of public and private keys
    Creation of X509 certificates and certificate request
    Calculation of message digests (hashes)
    Encryption and decryption

The mod_ssl Module

The mod_ssl module provides SSL support for Apache.
package include:
    1.
    The module itself (mod_ssl.so)
    2.
    A config file added to /etc/httpd/conf.d

Apache Directives for SSL

The mod_ssl module supports serveral SSL-specific directives:
Directive
Meaning
SSLCertificateFile
The name of the file containing the site's digital certificate
SSLCertificateKeyFile
The name of the file containing the site's private key
SSLCipherSuite
Specifies the ciphers (encryption algorithms) that the browser may use
SSLEngine (on/off)
Enable or Disable SSL (usually within VirtualHost)
SSLRequire
Supports access control based on multiple server variables, time of day, ...
Okey enough theory, Lets Demonstrate how to make our web site secure using SSL connection. For that we could either generate private key and then create a certificate signing request (.csr) from that and then send it to a real CA to sign it(which is impossible to demostrate here), or as we would do we will create a self signed certificate and then configure apache to use that.
We will use Cent OS in this example because in ubuntu sort of setting are done. Lets quicky install apache and setup example.com:
1
###Lets install and start apache service
2
Complete!
3
[[email protected] ~]# systemctl start httpd
4
[[email protected] ~]# lsof -i | grep httpd
5
httpd 3078 root 4u IPv6 36013 0t0 TCP *:http (LISTEN)
6
httpd 3082 apache 4u IPv6 36013 0t0 TCP *:http (LISTEN)
7
httpd 3083 apache 4u IPv6 36013 0t0 TCP *:http (LISTEN)
8
httpd 3084 apache 4u IPv6 36013 0t0 TCP *:http (LISTEN)
9
httpd 3085 apache 4u IPv6 36013 0t0 TCP *:http (LISTEN)
10
httpd 3086 apache 4u IPv6 36013 0t0 TCP *:http (LISTEN)
11
12
###lets make index.html for example.com
13
[[email protected] ~]# cd /var/www/html
14
[[email protected] html]# vim index.html
15
[[email protected] html]# cat index.html
16
<!DOCTYPE html>
17
<html>
18
<body>
19
20
<h1>This is example.com</h1>
21
22
</body>
23
</html>
24
25
### cheating DNS by configuring hosts file
26
[[email protected] html]# cat /etc/hosts
27
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
28
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
29
192.168.10.132 example.com
30
[[email protected] html]# ping example.com -c 2
31
PING example.com (192.168.10.132) 56(84) bytes of data.
32
64 bytes from example.com (192.168.10.132): icmp_seq=1 ttl=64 time=0.043 ms
33
64 bytes from example.com (192.168.10.132): icmp_seq=2 ttl=64 time=0.094 ms
34
35
--- example.com ping statistics ---
36
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
37
rtt min/avg/max/mdev = 0.043/0.068/0.094/0.026 ms
38
39
### Lets correct the server name in httpd.conf file
40
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
41
[[email protected] ~]# cat /etc/httpd/conf/httpd.conf | grep -i servername
42
# ServerName gives the name and port that the server uses to identify itself.
43
ServerName www.example.com:80
44
45
### check it on port 80:
46
[[email protected] conf]# elinks http://example.com
47
48
This is example.com
Copied!
Okey lets start with generating self signed certificates:
1
[[email protected] ~]# mkdir /etc/httpd/ssl
2
[[email protected] ~]# openssl req -x509 -nodes -days 365 \
3
> -newkey rsa:2048 -keyout /etc/httpd/ssl/example.key \
4
> -out /etc/httpd/ssl/example.crt
5
Generating a 2048 bit RSA private key
6
........+++
7
......................+++
8
writing new private key to '/etc/httpd/ssl/example.key'
9
-----
10
You are about to be asked to enter information that will be incorporated
11
into your certificate request.
12
What you are about to enter is what is called a Distinguished Name or a DN.
13
There are quite a few fields but you can leave some blank
14
For some fields there will be a default value,
15
If you enter '.', the field will be left blank.
16
-----
17
Country Name (2 letter code) [XX]:us
18
State or Province Name (full name) []:
19
Locality Name (eg, city) [Default City]:NY
20
Organization Name (eg, company) [Default Company Ltd]:The example company
21
Organizational Unit Name (eg, section) []:
22
Common Name (eg, your name or your server's hostname) []:example.com
23
Email Address []:[email protected]
Copied!
-nodes option means that we are not going to encrypt private key, -days 365 define expiry date. rsa stands for tha asymmetric algorithem that we are used here. And now the certificate and the key should be created:
1
[[email protected] ~]# cd /etc/httpd/ssl/
2
[[email protected] ssl]# ls -l
3
total 8
4
-rw-r--r--. 1 root root 1350 May 15 04:04 example.crt
5
-rw-r--r--. 1 root root 1704 May 15 04:04 example.key
6
[[email protected] ssl]# openssl x509 -in example.crt -text
7
Certificate:
8
Data:
9
Version: 3 (0x2)
10
Serial Number:
11
d1:83:ae:d3:2e:d5:d3:f8
12
Signature Algorithm: sha256WithRSAEncryption
13
Issuer: C=us, L=NY, O=The example company, CN=example.com/[email protected]
14
Validity
15
Not Before: May 15 08:04:14 2018 GMT
16
Not After : May 15 08:04:14 2019 GMT
17
Subject: C=us, L=NY, O=The example company, CN=example.com/[email protected]
18
Subject Public Key Info:
19
Public Key Algorithm: rsaEncryption
20
Public-Key: (2048 bit)
21
Modulus:
22
00:a4:eb:94:5d:68:f1:1e:29:3e:00:72:63:61:8d:
23
77:d8:dd:7b:2b:4c:03:0a:3e:d1:a7:9b:aa:c2:d8:
24
20:82:64:dd:81:20:72:f6:29:4b:df:b2:f6:37:40:
25
82:42:fe:3d:3b:b9:06:3e:14:95:56:12:28:88:4f:
26
23:d7:1e:c0:22:54:1c:46:73:dd:e8:36:f5:8a:9e:
27
32:f6:7b:24:6b:ea:7e:77:03:c4:94:b2:0f:07:23:
28
00:7a:c8:d5:48:f7:e0:9a:4a:fc:05:41:00:e2:fd:
29
46:fa:09:0d:ec:e5:57:79:9f:be:73:5f:41:c4:da:
30
16:ef:f8:11:e8:e8:05:e0:e0:21:d2:16:e5:db:54:
31
56:60:c8:86:37:84:4f:56:3b:3d:6c:96:cd:2f:c2:
32
e3:23:18:d8:0b:3e:da:8e:7c:1a:ad:14:4f:1d:1e:
33
e7:f2:15:7d:2a:72:fe:e4:ec:15:d2:6a:ff:c4:60:
34
60:0f:49:04:98:4d:23:41:19:a0:7d:db:3c:d2:17:
35
7a:fb:4e:83:0f:cd:87:99:2f:4b:c4:bb:6c:c9:09:
36
e5:74:3e:c1:0f:96:a8:e2:13:14:2e:29:21:04:3a:
37
2a:d0:10:9d:5e:a1:30:b1:2e:25:83:17:48:7d:e9:
38
1e:ef:be:87:13:87:16:a5:c9:29:18:3d:ca:ce:e5:
39
44:91
40
Exponent: 65537 (0x10001)
41
X509v3 extensions:
42
X509v3 Subject Key Identifier:
43
83:C6:F7:3A:4D:5F:96:F8:72:C9:66:14:D0:86:6A:AD:9F:9B:8A:1F
44
X509v3 Authority Key Identifier:
45
keyid:83:C6:F7:3A:4D:5F:96:F8:72:C9:66:14:D0:86:6A:AD:9F:9B:8A:1F
46
47
X509v3 Basic Constraints:
48
CA:TRUE
49
Signature Algorithm: sha256WithRSAEncryption
50
9e:dd:87:b9:d9:23:ea:23:f8:18:8c:9a:2d:97:d6:17:0a:04:
51
c3:2b:84:0b:86:65:c0:24:37:f7:47:80:a0:69:e7:bc:a2:3e:
52
5e:64:4b:0b:03:96:9c:0a:6b:c6:22:49:be:4a:a0:25:e9:b5:
53
57:f8:17:8b:2d:c8:1d:99:54:1c:34:67:60:a7:26:45:a2:42:
54
a6:77:7c:d9:e2:95:d0:8d:9d:ff:28:c6:9e:e7:28:a7:0f:8b:
55
78:df:bb:69:ae:9e:aa:72:68:87:01:83:f0:79:f4:46:d7:5f:
56
87:7c:e4:29:91:e0:36:c8:60:f4:a3:6a:ef:22:de:25:42:64:
57
75:00:3b:ce:5e:16:68:80:eb:2f:ea:c8:31:6a:ae:9f:43:a6:
58
ad:83:dc:6c:88:73:e4:65:05:8d:98:e1:a3:e9:25:8d:4a:ac:
59
e7:07:0b:15:62:7f:84:ae:92:e1:16:ed:c4:21:ff:05:6b:ca:
60
95:3a:2f:9f:44:43:c0:08:98:3a:c3:20:7f:45:8a:dc:80:6b:
61
2a:41:9a:3c:f8:c8:e5:20:84:59:0e:a4:6b:79:4a:b1:77:1b:
62
e1:7f:c6:03:26:8f:d9:ff:42:ce:11:a5:1a:86:76:d0:8d:88:
63
1f:12:3d:95:ec:60:e1:06:6d:ed:e4:9e:5f:26:9e:b0:49:01:
64
53:e0:e3:dc
65
-----BEGIN CERTIFICATE-----
66
MIIDtzCCAp+gAwIBAgIJANGDrtMu1dP4MA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
67
BAYTAnVzMQswCQYDVQQHDAJOWTEcMBoGA1UECgwTVGhlIGV4YW1wbGUgY29tcGFu
68
eTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE25vd2hlcmVA
69
ZXhhbXBsZS5jb20wHhcNMTgwNTE1MDgwNDE0WhcNMTkwNTE1MDgwNDE0WjByMQsw
70
CQYDVQQGEwJ1czELMAkGA1UEBwwCTlkxHDAaBgNVBAoME1RoZSBleGFtcGxlIGNv
71
bXBhbnkxFDASBgNVBAMMC2V4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNub3do
72
ZXJlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
73
pOuUXWjxHik+AHJjYY132N17K0wDCj7Rp5uqwtgggmTdgSBy9ilL37L2N0CCQv49
74
O7kGPhSVVhIoiE8j1x7AIlQcRnPd6Db1ip4y9nska+p+dwPElLIPByMAesjVSPfg
75
mkr8BUEA4v1G+gkN7OVXeZ++c19BxNoW7/gR6OgF4OAh0hbl21RWYMiGN4RPVjs9
76
bJbNL8LjIxjYCz7ajnwarRRPHR7n8hV9KnL+5OwV0mr/xGBgD0kEmE0jQRmgfds8
77
0hd6+06DD82HmS9LxLtsyQnldD7BD5ao4hMULikhBDoq0BCdXqEwsS4lgxdIfeke
78
776HE4cWpckpGD3KzuVEkQIDAQABo1AwTjAdBgNVHQ4EFgQUg8b3Ok1flvhyyWYU
79
0IZqrZ+bih8wHwYDVR0jBBgwFoAUg8b3Ok1flvhyyWYU0IZqrZ+bih8wDAYDVR0T
80
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAnt2Hudkj6iP4GIyaLZfWFwoEwyuE
81
C4ZlwCQ390eAoGnnvKI+XmRLCwOWnAprxiJJvkqgJem1V/gXiy3IHZlUHDRnYKcm
82
RaJCpnd82eKV0I2d/yjGnucopw+LeN+7aa6eqnJohwGD8Hn0Rtdfh3zkKZHgNshg
83
9KNq7yLeJUJkdQA7zl4WaIDrL+rIMWqun0OmrYPcbIhz5GUFjZjho+kljUqs5wcL
84
FWJ/hK6S4RbtxCH/BWvKlTovn0RDwAiYOsMgf0WK3IBrKkGaPPjI5SCEWQ6ka3lK
85
sXcb4X/GAyaP2f9CzhGlGoZ20I2IHxI9lexg4QZt7eSeXyaesEkBU+Dj3A==
86
-----END CERTIFICATE-----
Copied!
Now we install apache module mod_ssl:
1
[[email protected] ssl]# yum install mod_ssl
2
......
3
....
4
..
5
Installed:
6
mod_ssl.x86_64 1:2.4.6-80.el7.centos
7
8
Complete!
9
10
[[email protected] ssl]# rpm -ql mod_ssl
11
/etc/httpd/conf.d/ssl.conf
12
/etc/httpd/conf.modules.d/00-ssl.conf
13
/usr/lib64/httpd/modules/mod_ssl.so
14
/usr/libexec/httpd-ssl-pass-dialog
15
/var/cache/httpd/ssl
Copied!
Now lets go and see mod_ssl main configuration file:
1
[[email protected] ssl]# cd /etc/httpd/conf.d/
2
[[email protected] conf.d]# cat ssl.conf
3
#
4
# When we also provide SSL we have to listen to the
5
# the HTTPS port in addition.
6
#
7
Listen 443 https
8
9
##
10
## SSL Global Context
11
##
12
## All SSL configuration in this context applies both to
13
## the main server and all SSL-enabled virtual hosts.
14
##
15
16
# Pass Phrase Dialog:
17
# Configure the pass phrase gathering process.
18
# The filtering dialog program (`builtin' is a internal
19
# terminal dialog) has to provide the pass phrase on stdout.
20
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
21
22
# Inter-Process Session Cache:
23
# Configure the SSL Session Cache: First the mechanism
24
# to use and second the expiring timeout (in seconds).
25
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
26
SSLSessionCacheTimeout 300
27
28
# Pseudo Random Number Generator (PRNG):
29
# Configure one or more sources to seed the PRNG of the
30
# SSL library. The seed data should be of good random quality.
31
# WARNING! On some platforms /dev/random blocks if not enough entropy
32
# is available. This means you then cannot use the /dev/random device
33
# because it would lead to very long connection times (as long as
34
# it requires to make more entropy available). But usually those
35
# platforms additionally provide a /dev/urandom device which doesn't
36
# block. So, if available, use this one instead. Read the mod_ssl User
37
# Manual for more details.
38
SSLRandomSeed startup file:/dev/urandom 256
39
SSLRandomSeed connect builtin
40
#SSLRandomSeed startup file:/dev/random 512
41
#SSLRandomSeed connect file:/dev/random 512
42
#SSLRandomSeed connect file:/dev/urandom 512
43
44
#
45
# Use "SSLCryptoDevice" to enable any supported hardware
46
# accelerators. Use "openssl engine -v" to list supported
47
# engine names. NOTE: If you enable an accelerator and the
48
# server does not start, consult the error logs and ensure
49
# your accelerator is functioning properly.
50
#
51
SSLCryptoDevice builtin
52
#SSLCryptoDevice ubsec
53
54
##
55
## SSL Virtual Host Context
56
##
57
58
<VirtualHost _default_:443>
59
60
# General setup for the virtual host, inherited from global configuration
61
#DocumentRoot "/var/www/html"
62
#ServerName www.example.com:443
63
64
# Use separate log files for the SSL virtual host; note that LogLevel
65
# is not inherited from httpd.conf.
66
ErrorLog logs/ssl_error_log
67
TransferLog logs/ssl_access_log
68
LogLevel warn
69
70
# SSL Engine Switch:
71
# Enable/Disable SSL for this virtual host.
72
SSLEngine on
73
74
# SSL Protocol support:
75
# List the enable protocol levels with which clients will be able to
76
# connect. Disable SSLv2 access by default:
77
SSLProtocol all -SSLv2 -SSLv3
78
79
# SSL Cipher Suite:
80
# List the ciphers that the client is permitted to negotiate.
81
# See the mod_ssl documentation for a complete list.
82
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
83
84
# Speed-optimized SSL Cipher configuration:
85
# If speed is your main concern (on busy HTTPS servers e.g.),
86
# you might want to force clients to specific, performance
87
# optimized ciphers. In this case, prepend those ciphers
88
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
89
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
90
# (as in the example below), most connections will no longer
91
# have perfect forward secrecy - if the server's key is
92
# compromised, captures of past or future traffic must be
93
# considered compromised, too.
94
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
95
#SSLHonorCipherOrder on
96
97
# Server Certificate:
98
# Point SSLCertificateFile at a PEM encoded certificate. If
99
# the certificate is encrypted, then you will be prompted for a
100
# pass phrase. Note that a kill -HUP will prompt again. A new
101
# certificate can be generated using the genkey(1) command.
102
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
103
104
# Server Private Key:
105
# If the key is not combined with the certificate, use this
106
# directive to point at the key file. Keep in mind that if
107
# you've both a RSA and a DSA private key you can configure
108
# both in parallel (to also allow the use of DSA ciphers, etc.)
109
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
110
111
# Server Certificate Chain:
112
# Point SSLCertificateChainFile at a file containing the
113
# concatenation of PEM encoded CA certificates which form the
114
# certificate chain for the server certificate. Alternatively
115
# the referenced file can be the same as SSLCertificateFile
116
# when the CA certificates are directly appended to the server
117
# certificate for convinience.
118
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
119
120
# Certificate Authority (CA):
121
# Set the CA certificate verification path where to find CA
122
# certificates for client authentication or alternatively one
123
# huge file containing all of them (file must be PEM encoded)
124
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
125
126
# Client Authentication (Type):
127
# Client certificate verification type and depth. Types are
128
# none, optional, require and optional_no_ca. Depth is a
129
# number which specifies how deeply to verify the certificate
130
# issuer chain before deciding the certificate is not valid.
131
#SSLVerifyClient require
132
#SSLVerifyDepth 10
133
134
# Access Control:
135
# With SSLRequire you can do per-directory access control based
136
# on arbitrary complex boolean expressions containing server
137
# variable checks and other lookup directives. The syntax is a
138
# mixture between C and Perl. See the mod_ssl documentation
139
# for more details.
140
#<Location />
141
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
142
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
143
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
144
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
145
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
146
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
147
#</Location>
148
149
# SSL Engine Options:
150
# Set various options for the SSL engine.
151
# o FakeBasicAuth:
152
# Translate the client X.509 into a Basic Authorisation. This means that
153
# the standard Auth/DBMAuth methods can be used for access control. The
154
# user name is the `one line' version of the client's X.509 certificate.
155
# Note that no password is obtained from the user. Every entry in the user
156
# file needs this password: `xxj31ZMTZzkVA'.
157
# o ExportCertData:
158
# This exports two additional environment variables: SSL_CLIENT_CERT and
159
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
160
# server (always existing) and the client (only existing when client
161
# authentication is used). This can be used to import the certificates
162
# into CGI scripts.
163
# o StdEnvVars:
164
# This exports the standard SSL/TLS related `SSL_*' environment variables.
165
# Per default this exportation is switched off for performance reasons,
166
# because the extraction step is an expensive operation and is usually
167
# useless for serving static content. So one usually enables the
168
# exportation for CGI and SSI requests only.
169
# o StrictRequire:
170
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
171
# under a "Satisfy any" situation, i.e. when it applies access is denied
172
# and no other module can change it.
173
# o OptRenegotiate:
174
# This enables optimized SSL connection renegotiation handling when SSL
175
# directives are used in per-directory context.
176
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
177
<Files ~ "\.(cgi|shtml|phtml|php3?)quot;>
178
SSLOptions +StdEnvVars
179
</Files>
180
<Directory "/var/www/cgi-bin">
181
SSLOptions +StdEnvVars
182
</Directory>
183
184
# SSL Protocol Adjustments:
185
# The safe and default but still SSL/TLS standard compliant shutdown
186
# approach is that mod_ssl sends the close notify alert but doesn't wait for
187
# the close notify alert from client. When you need a different shutdown
188
# approach you can use one of the following variables:
189
# o ssl-unclean-shutdown:
190
# This forces an unclean shutdown when the connection is closed, i.e. no
191
# SSL close notify alert is send or allowed to received. This violates
192
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
193
# this when you receive I/O errors because of the standard approach where
194
# mod_ssl sends the close notify alert.
195
# o ssl-accurate-shutdown:
196
# This forces an accurate shutdown when the connection is closed, i.e. a
197
# SSL close notify alert is send and mod_ssl waits for the close notify
198
# alert of the client. This is 100% SSL/TLS standard compliant, but in
199
# practice often causes hanging connections with brain-dead browsers. Use
200
# this only for browsers where you know that their SSL implementation
201
# works correctly.
202
# Notice: Most problems of broken clients are also related to the HTTP
203
# keep-alive facility, so you usually additionally want to disable
204
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
205
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
206
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
207
# "force-response-1.0" for this.
208
BrowserMatch "MSIE [2-5]" \
209
nokeepalive ssl-unclean-shutdown \
210
downgrade-1.0 force-response-1.0
211
212
# Per-Server Logging:
213
# The home of a custom SSL log file. Use this when you want a
214
# compact non-error SSL logfile on a virtual host basis.
215
CustomLog logs/ssl_request_log \
216
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
217
218
</VirtualHost>
Copied!
Bellow the SSL Virtual Host Content we edit our Name Virtual Host Directive :
1
##
2
## SSL Virtual Host Context
3
##
4
5
NameVirtualHost *:443
6
7
<VirtualHost _default_:443>
8
9
# General setup for the virtual host, inherited from global configuration
10
DocumentRoot "/var/www/html"
11
ServerName www.example.com:443
Copied!
Now lets tell apache where the Certificate File and key are :
1
# Server Certificate:
2
# Point SSLCertificateFile at a PEM encoded certificate. If
3
# the certificate is encrypted, then you will be prompted for a
4
# pass phrase. Note that a kill -HUP will prompt again. A new
5
# certificate can be generated using the genkey(1) command.
6
SSLCertificateFile /etc/httpd/ssl/example.crt
7
8
# Server Private Key:
9
# If the key is not combined with the certificate, use this
10
# directive to point at the key file. Keep in mind that if
11
# you've both a RSA and a DSA private key you can configure
12
# both in parallel (to also allow the use of DSA ciphers, etc.)
13
SSLCertificateKeyFile /etc/httpd/ssl/example.key
Copied!
Now every thing seems fine Lets checks the configuration for syntax errors :
1
[[email protected] ~]# httpd -V
2
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/ssl.conf:56
3
AH00526: Syntax error on line 96 of /etc/httpd/conf.d/ssl.conf:
4
Invalid command 'i', perhaps misspelled or defined by a module not included in the server configuration
Copied!
ops we got an error lets fix it and restrat the service:
1
[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf
2
[[email protected] ~]# httpd -V
3
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/ssl.conf:56
4
Server version: Apache/2.4.6 (CentOS)
5
Server built: Apr 20 2018 18:10:38
6
Server's Module Magic Number: 20120211:24
7
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
8
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
9
Architecture: 64-bit
10
Server MPM: prefork
11
threaded: no
12
forked: yes (variable process count)
13
Server compiled with....
14
-D APR_HAS_SENDFILE
15
-D APR_HAS_MMAP
16
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
17
-D APR_USE_SYSVSEM_SERIALIZE
18
-D APR_USE_PTHREAD_SERIALIZE
19
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
20
-D APR_HAS_OTHER_CHILD
21
-D AP_HAVE_RELIABLE_PIPED_LOGS
22
-D DYNAMIC_MODULE_LIMIT=256
23
-D HTTPD_ROOT="/etc/httpd"
24
-D SUEXEC_BIN="/usr/sbin/suexec"
25
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
26
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
27
-D DEFAULT_ERRORLOG="logs/error_log"
28
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
29
-D SERVER_CONFIG_FILE="conf/httpd.conf"
30
31
[[email protected] ~]# systemctl restart httpd
32
[[email protected] ~]# systemctl status httpd
33
● httpd.service - The Apache HTTP Server
34
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
35
Active: active (running) since Tue 2018-05-15 04:53:21 EDT; 12s ago
36
Docs: man:httpd(8)
37
man:apachectl(8)
38
Process: 39126 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
39
Main PID: 39136 (httpd)
40
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
41
CGroup: /system.slice/httpd.service
42
├─39136 /usr/sbin/httpd -DFOREGROUND
43
├─39137 /usr/sbin/httpd -DFOREGROUND
44
├─39138 /usr/sbin/httpd -DFOREGROUND
45
├─39139 /usr/sbin/httpd -DFOREGROUND
46
├─39140 /usr/sbin/httpd -DFOREGROUND
47
└─39141 /usr/sbin/httpd -DFOREGROUND
48
49
May 15 04:53:21 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
50
May 15 04:53:21 localhost.localdomain httpd[39136]: AH00548: NameVirtualHost has no...6
51
May 15 04:53:21 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
52
Hint: Some lines were ellipsized, use -l to show in full.
Copied!
Finally check our web site in a secure manner:
1
[[email protected] ~]# elinks https://example.com
Copied!
There is an error about Certificate Validity and that is okey because we have used Self Signed Certificate.

Issues with Virtual Hosting and use of SSL

Using name-based virtual hosts with SSL adds another layer of complication. Without the SNI extension, it's not generally possible

What is The Problem ?

The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can't be read until the SSL connection is established. The ordinary behavior, then, is that the SSL connection is set up using the configuration in the default virtual host for the address where the connection was received.
While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
And while it's possible to put multiple hostnames in a modern certificate and just use that one certificate in the default vhost, there are many hosting providers who are hosting far too many sites on a single address for that to be practical for them.

Server Name Indication (SNI)

The solution is an extension to the SSL protocol called Server Name Indication (RFC 4366), which allows the client to include the requested hostname in the first message of its SSL handshake (connection setup). This allows the server to determine the correct named virtual host for the request and set the connection up accordingly from the start.
With SNI, we can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate (and the rest of the configuration).
That seems enough for LPIC2 exam.
Last modified 2yr ago