Apache

From John Freier
Jump to: navigation, search

Virtual Host

This is how you setup apache for Virual Hosts. example if you have more domain names and only one server. The serverAlias is used in case people don't put in the "www" before the URL. 

<VirtualHost *:80>
        DocumentRoot /home/{user}/public_html
        ServerName www.{domainname}.com
        ServerAlias {domainname}.com
</VirtualHost>


Virtual Host ProxyPass

This will pass any http request along. It helps when you want to pass a connection to another server, example apache -> tomcat:8080. 

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
        ServerName www.{domainname}.com
        ServerAlias {domainname}.com
</VirtualHost>


SSL Setup

I'm playing around with SSL setup for Apache. My overall goal would be to set up an SSL web address that would be only accessed with a single private key that would have to be imported into a browser and not handed off from the server.

1. Install SSL module for Apache on Fedora 

 yum install mod_ssl

2. I create a folder for housing any newly created certs to be used by Apache. 

 mkdir /etc/httpd/ssl
  • .key = Key file kind of like a password.
  • .csr = Certificate Signing Request, this is the built request to generate a certificate.
  • .crt = Certificate
  • .pem = Bundle of key, and certificates.
  • .p12 = a combo file of key and cert.

1. Create files for openssl to use for records. index.txt is an openssl database file. 

 touch index.txt
 echo 1000 > serial

2. Create the private key for the CA ROOT certification. 

 # openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key 4096
 
 Enter pass phrase for ca.key: secretpassword
 Verifying - Enter pass phrase for ca.key: secretpassword
 
 # chmod 400 /etc/pki/CA/private/ca.key

3. Double check configs. I needed to uncomment out some.

Open your OpenSSL configuration file (/etc/pki/tls/openssl.cnf) and look for the [ usr_cert ] and [ v3_ca ] sections. Make sure they contain the following options: 

 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 basicConstraints=CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 nsComment = "OpenSSL Generated Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 
 [ v3_ca ]
 # Extensions for a typical CA
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = CA:true
 keyUsage = cRLSign, keyCertSign


4. Create a CA certificate from your CA key.

Now you can use the root key above to issue a root certificate (ca.crt). In this example, the certificate is set to expire in ten years. As this is a CA certificate, use the v3_ca extension. You will be prompted for some responses, which you can fill with whatever you like. For convenience, defaults can be set in the openssl configuration file.

Important: The default digest is SHA-1. SHA-1 is considered insecure. Pass the -sha256 option to use a more secure digest.

Make sure the common name matches your server name, wiki.johnfreier.com. 

 openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.crt



 Enter pass phrase for ca.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 -----
 Country Name (2 letter code) [XX]:GB
 State or Province Name (full name) []:London
 Locality Name (eg, city) [Default City]:London
 Organization Name (eg, company) [Default Company Ltd]:Alice CA
 Organizational Unit Name (eg, section) []:Certificate Authority
 Common Name (eg, your name or your server's hostname) []:Alice CA
 Email Address []:alice@example.com

 chmod 444 /etc/pki/CA/certs/ca.crt

Root key: ca.key
Root certificate: ca.cert


1. Generate Signing Request Key. This creates a signing request key that is used to verify things. 

 openssl genrsa -out footballaz.key 4096


2. Create a certificate signing request (csr) - Make sure that the Organization Name you choose below matches the one set for your CA root certificate. The extra attributes can be left blank. If you are creating a self-signed certificate, you would also use the -x509 and -days options.

I did not use -x509 or -days not sure what i missed??? 

 openssl req -sha256 -new -key footballaz.key -out footballaz.csr

3. Create Certificate 

 openssl ca -keyfile /etc/pki/CA/private/ca.key -cert /etc/pki/CA/certs/ca.crt -extensions usr_cert -notext -md sha256 -in footballaz.csr -out footballaz.crt

4. Verify new certificate 

 openssl verify -CAfile /etc/pki/CA/certs/ca.crt footballaz.crt

Need to generate a *.p12 certificate. Which is a special combination cert that is password protected. This one is need by the browser to get to the site. 

 openssl pkcs12 -export -in footballaz.crt -inkey footballaz.key -out footballaz.p12

5. Install the *.p12 file in a browser or computer and....

It WORKED!!!

These were extra SSL properties I needed to get it to work correctly. 

 <VirtualHost *:443>
 	SSLEngine on
 	SSLCertificateFile /etc/httpd/ssl/footballaz.crt
 	SSLCertificateKeyFile /etc/httpd/ssl/footballaz.key
 	SSLCACertificateFile {path_to_ca}/ca.crt
 	SSLVerifyClient require
 	SSLVerifyDepth	2 
 	SSLProtocol all -SSLv2 -SSLv3
 	SSLHonorCipherOrder On
 	SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 </VirtualHost>

Resources

https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

http://linuxconfig.org/apache-web-server-ssl-authentication

http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm

http://www.apachelounge.com/viewtopic.php?t=3571

https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-fedora-14

SSL (StartSSL)

This is a free SSL certificate issue https://www.startssl.com

Follow the steps.

for my configuration I needed www.johnfreier.com as the common name.

After you follow the steps you will get a zip file with a bunch of *.crt files in folders. You will want to unzip the ApacheBundle.zip

Use this configuration: https://www.startssl.com/Support?v=21 


# openssl rsa -in www.key -out new.key


Notes on updating crt

1. Paste current johnfreier.com csr to website that issues the new crt. 2. The new crt gets emailed, just replace it.


Headline text

Headline text

Retrieved from "http://wiki.johnfreier.com/index.php?title=Apache&oldid=903"