Getting Started with SSL on Apache

Started by sukishan, Aug 22, 2009, 07:02 PM

Previous topic - Next topic

sukishan

Getting Started with SSL on Apache
There are a few key ingredients you will need to use with Apache to secure your Web server: OpenSSL, mod_ssl, and root access to the server.

OpenSSL is a command line toolkit for using secure sockets layer encryption on a server and can be acquired from openssl.org. This tool works with Apache module mod_ssl in carrying out SSL-related tasks. You will need root privileges to install OpenSSL to its traditional destination of /usr/local/ssl/install/openssl.

You must also ensure that mod_ssl is available on your server. There are other alternatives to mod_ssl; one is apache-ssl, from which the mod_ssl code was forked. However, mod_ssl's adoption has been dramatic -- nearly 20% of Apache servers were running it at the beginning of 2002.

To see which modules are active in Apache, issue the following command in a Terminal as root user on your server.

/usr/sbin/httpd -l

If you have a recent Linux distribution installed, it is likely Apache's modules are compiled as dynamic loadable modules, in which case you'll need to edit your httpd.conf file and check that the following line is uncommented.

LoadModule ssl_module modules/libmodssl.so

Restarting Apache will load the module into action. In my case, having used an RPM-based install of Red Hat and Apache, this is achieved with the apachectl command, typically found in /usr/sbin/apachectl. You can restart Apache by typing the following:

/usr/sbin/apachectl restart

There are several helpful features of apachectl, including stop, start, restart, status and check config. See the man pages via man apachectl.

Note that in recent Apache distributions, the httpd.conf file contains an <IfDefine HAVE_SSL> section that is intended to contain the <VirtualHost> definitions for all your SSL Websites. By placing these definitions within the <IfDefine> section, you can ensure that the sites will not be made available unless SSL support is successfully loaded on the server. This prevents any problems arising in which SSL could expose your secure sites.
A good beginning makes a good ending