Difference between revisions of "Apache"

Revision as of 14:57, 20 March 2015

Virtual Host This is how you setup apache for Virual Hosts. example if you have more domain names and only one server. The serverAlias is used in case people don't put in the "www" before the URL.

<VirtualHost *:80>
        DocumentRoot /home/{user}/public_html
        ServerName www.{domainname}.com
        ServerAlias {domainname}.com
</VirtualHost>

Virtual Host ProxyPass This will pass any http request along. It helps when you want to pass a connection to another server, example apache -> tomcat:8080.

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
        ServerName www.{domainname}.com
        ServerAlias {domainname}.com
</VirtualHost>

SSL Setup

I'm playing around with SSL setup for Apache. My overall goal would be to set up an SSL web address that would be only accessed with a single private key that would have to be imported into a browser and not handed off from the server.

1. Install SSL module for Apache on Fedora

 > yum install mod_ssl

2. I create a folder for housing any newly created certs to be used by Apache.

 > mkdir /etc/httpd/ssl

3. I generated a cert. A *.pem file contains both public and private key. This will ask you a bunch of questions too.

 > openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

Resources

http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm

http://www.apachelounge.com/viewtopic.php?t=3571

https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-fedora-14

SSL Setup 2

I'm trying again...The first attempt failed because I didn't generate a CA.

 # openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096
 
 Enter pass phrase for ca.key.pem: secretpassword
 Verifying - Enter pass phrase for ca.key.pem: secretpassword
 
 # chmod 400 /etc/pki/CA/private/ca.key.pem

Open your OpenSSL configuration file (/etc/pki/tls/openssl.cnf) and look for the [ usr_cert ] and [ v3_ca ] sections. Make sure they contain the following options:

 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 basicConstraints=CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 nsComment = "OpenSSL Generated Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 
 [ v3_ca ]
 # Extensions for a typical CA
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = CA:true
 keyUsage = cRLSign, keyCertSign

Now you can use the root key above to issue a root certificate (ca.cert.pem). In this example, the certificate is set to expire in ten years. As this is a CA certificate, use the v3_ca extension. You will be prompted for some responses, which you can fill with whatever you like. For convenience, defaults can be set in the openssl configuration file.

Important: The default digest is SHA-1. SHA-1 is considered insecure. Pass the -sha256 option to use a more secure digest.

 openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem

 Enter pass phrase for ca.key.pem:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 -----
 Country Name (2 letter code) [XX]:GB
 State or Province Name (full name) []:London
 Locality Name (eg, city) [Default City]:London
 Organization Name (eg, company) [Default Company Ltd]:Alice CA
 Organizational Unit Name (eg, section) []:Certificate Authority
 Common Name (eg, your name or your server's hostname) []:Alice CA
 Email Address []:alice@example.com

 chmod 444 /etc/pki/CA/certs/ca.cert.pem

Root key: ca.key.pem
Root certificate: ca.cert.pem

Generate Signing Request???

 openssl genrsa -out footballaz.key.pem 4096

Resources

https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

http://linuxconfig.org/apache-web-server-ssl-authentication