Apache Setup
From NippAero
Contents |
Automatic Startup of Apache
To start Apache automatically, follow these steps:
1. Copy Apache startup file to the startup directory:
cp /usr/local/apache/bin/apachectl /etc/init.d/
2. Edit /etc/init.d/apachectl by inserting these 2 lines in bold:
#!/bin/sh # # chkconfig: - 85 15 # description: Apache is a Web server used to serve HTML files and CGI.
3. Enable httpd to startup automatically:
/sbin/chkconfig --add apachectl /sbin/chkconfig --level 2 apachectl on
SSL Configuration
These are some quick and dirty notes on getting SSL up and running to test on a lab system. As always make sure your system is secure before going to prod.
Creating a Key Pair
You must have a public/private key pair before you can create a certificate request. Assume that the FQDN for the certificate you want to create is www.example.com. (You will need to substitute this name for the FQDN of the machine you have installed Apache on.) You can create the keys by issuing the following command:
# ./usr/local/ssl/install/bin/openssl genrsa -des3 -rand file1:file2:file3 -out www.example.com.key 1024
genrsa indicates to OpenSSL that you want to generate a key pair.
des3 indicates that the private key should be encrypted and protected by a pass phrase.
The rand switch is used to provide OpenSSL with random data to ensure that the generated keys are unique and unpredictable. Substitute file1, file2, and so on, for the path to several large, relatively random files for this purpose (such as a kernel image, compressed log files, and so on). This switch is not necessary on Windows because the random data is automatically generated by other means.
The out switch indicates where to store the results.
1024 indicates the number of bits of the generated key.
Creating a Certificate Signing Request
To get a certificate issued by a CA, you must submit what is called a certificate signing request. To create a request, issue the following command:
# ./usr/local/ssl/install/bin/openssl req -new -key www.example.com.key -out www.example.com.csr
You will now be asked to enter some information.
It is important that the Common Name field entry matches the address that visitors to your Web site will type in their browsers. This is one of the checks that the browser will perform for the remote server certificate. If the names differ, a warning indicating the mismatch will be issued to the user.
The certificate is now stored in www.example.com.csr. You can learn about the contents of the certificate via the following command:
# ./usr/local/ssl/install/bin/openssl req -noout -text
-in www.example.com.csr
Creating a Self-Signed Certificate
You can also create a self-signed certificate. That is, you can be both the issuer and the subject of the certificate. Although this is not very useful for a commercial Web site, it will enable you to test your installation of mod_ssl or to have a secure Web server while you wait for the official certificate from the CA.
# ./usr/local/ssl/install/bin/openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.cert
You need to copy your certificate www.example.com.cert (either the one returned by the CA or your self-signed one) to a secure location on your server like /usr/local/ssl/certs/ and your key to /usr/local/ssl/private/.
Protect your key file by issuing the following command:
# chmod 400 www.example.com.key
Edit httpd.conf and httpd-ssl.conf
You will need to modify the http server configuration and restart the server to commit the changes.
Make sure you have the httpd-ssl.conf file included in your httpd.conf file.
# Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf
Make sure you add the path to you cert files in the extra/httpd-ssl.conf file.
SSLCertificateFile /usr/local/ssl/certs/www.example.com.cert SSLCertificateKeyFile /usr/local/ssl/certs/www.example.com.key
Restart apache and test.
