Apache 2 Compile and Quick Install
==================================================
compile:
./configure --prefix=/home/apache2
--enable-threads
--enable-auth
--enable-auth-anon
--enable-auth-dbm
--enable-auth-digest
--enable-case-filter
--enable-case-filter-in
--enable-usertrack
--enable-unique-id
--enable-ssl
--enable-static-support
--enable-dav
--enable-suexec
--enable-cgi
--enable-dav-fs
--enable-vhost-alias
--enable-rewrite=shared?
--enable-speling=shared?
--enable-so
./configure --prefix=/home/apache2 --enable-threads --enable-auth --enable-auth-anon --enable-auth-dbm --enable-auth-digest --enable-case-filter --enable-case-filter-in --enable-usertrack --enable-unique-id --enable-ssl --enable-static-support --enable-dav --enable-suexec --enable-cgi --enable-dav-fs --enable-vhost-alias --enable-speling --enable-rewrite --enable-so
make
make install
make sure /etc/passwd has the correct path for the apache user.
==================================================
general config:
StartServers...
Listen 443
User apache
Group apache
ServerAdmin admin@localhost
UseCanonicalName off
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
CustomLog logs/access_log combined
ServerTokens Prod
ServerSignature Off
IndexOptions FancyIndexing VersionSort NameWidth=*
ReadmeName README.html
or
ReadmeName readme.txt
HeaderName HEADER.html
turn off gzip decompression???
==================================================
mod_ssl config:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
SSLCACertificateFile /path/to/ca.crt
SSLEngine on
SSLOptions +FakeBasicAuth
SSLRandomSeed startup file:/dev/urandom 1024
SSLVerifyClient none
SSLVerifyDepth 1
SSLRequireSSL (Directory statement or .htaccess file)
Make sure there is a "Listen" and "VirtualHosts" directive for multi
server setups.
CGI: "SSLOptions +StdEnvVars" if get "SSL_ does not exist" errors.
---
potential bug fixes:
SSLSessionCache shm (after you have rebuilt Apache with MM)
==================================================
key making:
Create a RSA private key for your Apache server (will be Triple-DES
encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and remember the pass-phrase you had to
enter at a secure location. You can see the details of this RSA private
key via the command:
$ openssl rsa -noout -text -in server.key
And you could create a decrypted PEM version (not recommended) of this RSA
private key via:
$ openssl rsa -in server.key -out server.key.unsecure
Create a Certificate Signing Request (CSR) with the server RSA private key
(output will be PEM formatted):
$ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server
when OpenSSL prompts you for the "CommonName", i.e. when you generate a
CSR for a website which will be later accessed via https://www.foo.dom/,
enter "www.foo.dom" here. You can see the details of this CSR via the
command
$ openssl req -noout -text -in server.csr
you can use your own CA and now have to sign the CSR yourself by this CA.
Read the next answer in this FAQ on how to sign a CSR with your CA
yourself. You can see the details of the received Certificate via the
command:
$ openssl x509 -noout -text -in server.crt
Now you have two files: server.key and server.crt. These now can be used
as following inside your Apache's httpd.conf file:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
The server.csr file is no longer needed.
How can I create and use my own Certificate Authority (CA)?
The short answer is to use the CA.sh or CA.pl script provided by OpenSSL.
The long and manual answer is this:
Create a RSA private key for your CA (will be Triple-DES encrypted and PEM
formatted):
$ openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key file and remember the pass-phrase you currently
entered at a secure location. You can see the details of this RSA private
key via the command
$ openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this
private key via:
$ openssl rsa -in ca.key -out ca.key.unsecure
Create a self-signed CA Certificate (X509 structure) with the RSA key of
the CA (output will be PEM formatted):
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You can see the details of this Certificate via the command:
$ openssl x509 -noout -text -in ca.crt
Prepare a script for signing which is needed because the ``openssl ca''
command has some strange requirements and the default OpenSSL config
doesn't allow one easily to use ``openssl ca'' directly. So a script named
sign.sh is distributed with the mod_ssl distribution (subdir
pkg.contrib/). Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL
Certificates for use inside an Apache webserver (assuming you already have
a server.csr at hand):
$ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
-----
How can I change the pass-phrase on my private key file?
You simply have to read it with the old pass-phrase and write it again by
specifying the new pass-phrase. You can accomplish this with the following
commands:
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
Here you're asked two times for a PEM pass-phrase. At the first prompt
enter the old pass-phrase and at the second prompt enter the new
pass-phrase.
-----
How can I get rid of the pass-phrase dialog at Apache startup time?
The reason why this dialog pops up at startup and every re-start is that
the RSA private key inside your server.key file is stored in encrypted
format for security reasons. The pass-phrase is needed to be able to read
and parse this file. When you can be sure that your server is secure
enough you perform two steps:
1. Remove the encryption from the RSA private key (while preserving the
original file):
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
2. Make sure the server.key file is now only readable by root:
$ chmod 400 server.key
Now server.key will contain an unencrypted copy of the key. If you point
your server at this file it will not prompt you for a pass-phrase.
HOWEVER, if anyone gets this key they will be able to impersonate you on
the net. PLEASE make sure that the permissions on that file are really
such that only root or the web server user can read it (preferably get
your web server to start as root but run as another server, and have the
key readable only by root).
As an alternative approach you can use the ``SSLPassPhraseDialog
exec:/path/to/program'' facility. But keep in mind that this is neither
more nor less secure, of course.
==================================================