The purpose of this document is to describe the setup of the secure web application server on FreeBsd
using Apache and OpenSSL.
Please read the following article first
Using apache and OpenSSL you can create your own secure web server to keep authentication
and other information private.
Having a secure web server is very necessity if you are doing on-line administration, banking and/or e-commerce.
You may just have personal information you need to access over the web and wish to make secure.
Using a secure web server is perfect for these implementations.
You must have the following packages installed:
Apache 1.3.12 or later
mod-ssl-2.2.6 or later
OpenSSL-0.9.5a or later
Yuo must compile the OpenSSL first
$ ./config
$ make
$ make test
$ make install
Now you should comply and install Mod_ssl
$ cd mod_ssl-2.6.x-1.3.x
$ ./configure \
--with-apache=../apache_1.3.x \
--with-ssl=../openssl-0.9.x \
--with-mm=../mm-1.1.x \
--with-crt=/path/to/your/server.crt \
--with-key=/path/to/your/server.key \
--prefix=/path/to/apache
$ cd ../apache_1.3.x
$ make
$ make certificate
$ make install
Configure httpd.conf for SSL Support
After Apache mod-ssl is installed, you can configure your httpd.conf like you would for a normal site. You will, however, have to setup your SSL secure site through a VirtualHost. You will access with https://my.site.com instead of http://my.site.com.
There are many configuration options and requirements for a VirtualHost in Apache. Since there is too much to talk about here I will only give you an example of a basic VirtualHost. A VirtualHost contains the server name, system administrators e-mail address, the path to the files and a path to the logs for the host. It turns out looking something like this:
ServerAdmin
[email protected]
DocumentRoot /home/httpd/mysite/
ErrorLog /var/log/httpd/mysite-errors_log
TransferLog /var/log/httpd/mysite-transfers_log
To add SSL support to your VirtualHost you must enable it and tell it where you have your
certificate and key to decrypt it with. Add these lines before the '' tag:
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
These are basic SSL options for VirtualHosts. There are many more than can be listed in this
short document. When you install mod_SSL into Apache the new httpd.conf will have examples and
descriptions of VirtualHosts and SSL options. You can also find numerous documents
at www.apache.org and www.modssl.org.
Once configured, you are all set to start up the server.
Start Apache in SSL mode by typing the following:
[root@myhost #] /usr/sbin/httpd -startssl
read RSA key
Enter PEM pass phrase:
Notice it asks you for a password. It will require a password to decrypt your key for the SSL encryption. This could prevent apache from working on startup. Here is a way around it, but it can be a security hazard.
Go to where your stored httpd.conf and in the ssl.key directory you should see server.key. This contains your encrypted key. What we are going to do here is decrypt the key permently. The upside is you won't have to enter a password anymore. The security risk is that if the key is compromissed someone can possibly decrypt the information you send across your once secure connection.
Before you decrypt the key make a backup first:
[root@myhost #] cp /path/to/apache-conf/ssl.key/server.key server.key.old
Now, using OpenSSL, decrypt the key:
[root@myhost #] /usr/sbin/openssl rsa -in server.key.old -out server.key
read RSA key
Enter PEM pass phrase:
It will prompt you for your password and decrypt your key. server.key now contains an unencrypted key. You must still start apache with httpd --startssl or the start-up file included with your RPM or dpkg.