O'Reilly Book Excerpts: Apache: The Definitive Guide, 2nd Edition
Securing Your Apache Server
An excerpt from Chapter 3, "Security," of Apache: The Definitive Guide, 2nd Edition. Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building, configuring, and securing an SSL-enabled Apache server under Unix.
Secure Sockets Layer: How to do it
The object of what follows is to make a version of Apache that handles the HTTPS (HTTP over SSL) protocol. Currently this is only available in Unix versions, and given the many concerns that exist over the security of Win32, there seems little point in trying to implement SSL in the Win32 version of Apache.
The first step is to get hold of the appropriate version of Apache; see Chapter 1, Getting Started, and the Apache-SSL home page at for current information. Download the source code and expand the files in some suitable directory. An src subdirectory will appear. So far, so good.
The next, and easiest step of all, is to decide whether you are in the United States and Canada or the rest of the world. Then follow these guidelines:
- In the United States and Canada
- You have two choices. You can get a commercial SSL-enabled web server, or you can do what the rest of the world does (see below), noting only that you need to get a license to use RSA's patents if you want to make money out of your SSL-enabled Apache.
- In the rest of the world
- If your deliberations lead you to believe that you live in the rest of the world, proceed as described in the following sections.
The first thing to do is to get SSLeay. SSLeay is a a freely available library, written by the Australian Eric Young, which does pretty much everything cryptological that the most secretive heart could desire. We went to ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ (which seems to belong to the psychology department of the University of Queensland, Australia, and why should we quibble?), downloaded SSLeay-0_9_0b_tar.gz since it looked the freshest, and put it into /usr/local/etc/SSL. We uncompressed it with:
% gzip -d SSLeay-0_9_0b_tar.gz % tar xvf SSLeay-0_9_0b_tar
producing a surprising amount of stuff in a subdirectory SSLeay-0.9.0b . Go there. First, read INSTALL, which describes a configuration process not unlike that for Apache, but somewhat rougher. Things will go more smoothly if you have already liberated Perl and it is in /usr/local/bin. The script will put SSL in /usr/local/bin;if you don't like this, you can change its home. You are told to run ./Configure system type but, slightly alarmingly, INSTALL doesn't tell you what the possible system types are. However, we remember that if anything goes wrong, we can just go back to the top directory, run tar again to start over, and boldly type:
A list of systems appears, among which is FreeBSD and, we hope, yours. We ran ./Configure again:
% ./Configure FreeBSD
This sets up a number of system variables and reports them to the screen. As long as there is not an obvious error, we don't really care what it says. INSTALL then tells us to tidy up the place, make SSL, make the test certificate, and test the result by using these four commands:
% make clean % make % make rehash % make test
Again, a lot of prattle outputs to the screen that is probably really interesting if you are Eric Young, and less fascinating otherwise. The output ends with a printout of your signed certificate, newcert.pem.
And then we perform the final step recommended in INSTALL:
% make install
It turned out that ssleay hadn't been installed in /usr/local/bin as promised, but was in /usr/local/ssl/bin. This may have been fixed by the time you do all this, but if not, add the new directory to your path. Just how you do this depends on the shell you are running, so we won't confuse you with advice that may be inappropriate. See your administrator in case of difficulty.
Get the Apache-SSL Patch
It is important that if you have already made Apache you should delete the whole directory with:
% rm -R apache directory
Reexpand the original Apache .tar file to create a complete directory (see the section Making Apache Under Unix, in Chapter 1) and download the Apache-SSL patch file from Oxford University: ftp://ftp.ox.ac.uk/pub/crypto/SSL/ or one of the mirror sites. It is important that the file you download is as new as you can get and matches the Apache version you have just expanded. The reason you should reexpand Apache is that Apache-SSL has to patch the source of Apache, so it must be "as-new." * In our case we got apache_1_3_1+ssl_1_22_tar.gz, copied it into the .../apache/apache_1.3.1 subdirectory (not the .../src subdirectory, as in the previous edition), and expanded it with:
% gzip -d apache_1_3_1+ssl_1_22_tar.gz % tar xvf apache_1_3_1+ssl_1_22_tar
You find a number of *.SSL files. The immediately interesting one is README.SSL, written by one of the authors of this book (BL), which you should, of course, read.
Make the Patch
The next step is to do as instructed in README.SSL:
Note: Some operating systems (notably Solaris) come with an exceedingly out-of-date version of patch, which doesn't work properly with Apache-SSL's patch files. The current version of patch at the time of writing is 2.5.
You will be asked if you want the patch applied, to which you reply y. A good deal of chat ensues on the screen, but as long as it does not stop with an error, all is well.*
patch is a Unix utility. If you get the message:
Looks like a new style context diff File to patch:
and not much else, you may have an out-of-date version of patch. You can get the version number by typing:
% patch -version
If you have a version earlier than 2.1, you need to upgrade. If you have 2.5 and you still have problems, you may find that:
% patch -pl < SSLpatch
A useful site, which has FAQs about Apache-SSL, is http://www.apache-ssl.org.
You then have to rebuild Apache. Since you have replaced all the files, including the original Configuration, you may want to copy the version you saved in the top directory (see Configuration Settings and Rules, in Chapter 1) back down. Check that this line in this file has been correctly altered:
SSL_BASE=<current location of SSL>
This should be the directory where SSLeay has unpacked itself -- in our case /usr/local/etc/SSL/SSLeay-0.9.0b.
Run ./Configure to remake the Makefile, and then make to compile the code. The end result, if all has gone well, is an executable: httpsd. Copy it into /usr/local/bin next to httpd.