SSL Part 1: ssl.conf

Revision as of 17:39, 9 June 2008 by Ric (talk | contribs) (New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1: Home | [[...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

mod_ssl Configuration ssl.conf
Uniform Server 3.5-Apollo

On the previous page I covered the httpd configuration file this page looks at the ssl configuration file. I recommended you keep the two files separate this not only eases faultfinding but also has an additional benefit when experimenting.

  ssl.conf  

This configuration file isolates all secure directives it normally contains a single secure virtual host. This limitation is protocol imposed however running a personal server it is possible with some limitations to run more than one name based virtual host ( I cover this later)

 

  httpd.conf  

This is the main Apache configuration file and should not contain any secure directives. Comment out the line as shown #LoadModule ssl_module modules/mod_ssl.so and Apache will function solely as a non-secure server.

Uncomment the above line and Apache loads module mod_ssl.so this in turn instructs Apache to load the configuration file ssl.conf. If you wish you can place all the directives into the main configuration file it just makes fault finding more difficult.

ssl.conf and Vhosts

This configuration file is relatively self-contained change the domain name from unicenterdemo12.dyndns.org to unicenter.gotdns.org (use your real domain name) and the root folder if you have renamed that.

Open file ssl.conf located in folder *\Uniform Server\udrive\usr\local\apache2\conf the only change that needs to be made is in the Vhost section highlighted in bold.

  NEW  

######################### Global SSL ############################### Listen 443
#== Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

#== Pass Phrase Dialog:(`builtin' is a internal terminal dialog)
SSLPassPhraseDialog builtin

#== Inter-Process Session Cache:

##SSLSessionCache none
##SSLSessionCacheTimeout 300

SSLSessionCache shmcb:logs/ssl_scache(512000) SSLSessionCacheTimeout 300

#== SSL engine uses internally for inter-process synchronization.
SSLMutex default

#== Pseudo Random Number Generator (PRNG):

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

########### SSL Virtual Host ############################

NameVirtualHost *:443

<VirtualHost _default_:443>

ServerName unicenter.gotdns.org
DocumentRoot /www/site3
ServerAdmin you@example.com

ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

#== SSL Engine Switch: SSLEngine on

#== SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2

#== Server Certificate:
SSLCertificateFile conf/ssl.crt/server.crt

#== Server Private Key:
SSLCertificateKeyFile conf/ssl.key/server.key

# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.

#== SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/home/admin/www/cgi-bin/">
SSLOptions +StdEnvVars
</Directory>

#== Basic authentication

<Directory "/www/site3">
  AuthName "Uniform Server - Unicenter Demo Server Access"
  AuthType Basic
  AuthUserFile /htpasswd/modsslpass/.htpasswd
  Require valid-user </Directory>

#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

#== Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Top

Basic Authentication

For completeness my template installed basic authentication, if your requirement is to encrypt form data only and want the secure server public, disable basic authentication by commenting out these lines as shown:

  ssl.conf - basic authentication  

#== Basic authentication

#<Directory "/www/site3">
#  AuthName "Uniform Server - Unicenter Demo Server  Access" 
#  AuthType Basic
#  AuthUserFile /htpasswd/modsslpass/.htpasswd
#  Require valid-user
#</Directory>

Note: In this case there is no need to change the password file

Name and Password

If you wish to retain basic authentication change the name and password in file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\modsslpass it currently contains the following:

  File name: .htpasswd     Comments  

name:password

Choose a suitable name and password remember to separate them with a colon

Top

Test

You now have a fully configured server that uses your domain name. A quick test run the following (substitute your domain name for unicenter.gotdns.org):

Test Result
 1) Start the servers using Server_Start.bat   Normal server operation with apanel displayed.
 2) Type http://unicenter.gotdns.org/  Displays Site 1 home page
 3) Type http://news.unicenter.gotdns.org/  Displays Site 2 home page
 4) Type http://cars.unicenter.gotdns.org/  Displays unsecured default page
 5) Type https://unicenter.gotdns.org/

 a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session 
 b) Security Error: Domain Name Mismatch - Click OK
 c) (If enabled) Authentication Required - Type in name and password - click Ok
 d) Padlock closed and page Site 3 home page displayed

Summary

The certificate installed was purely for testing to fully secure your server you must create a new key and certificate this final step is described on the next page. Note this will also remove the alert in test 5b.

Top


  Ric