https://wiki.uniformserver.com/index.php?title=SSL_Part_1:_ssl.conf&feed=atom&action=historySSL Part 1: ssl.conf - Revision history2024-03-28T11:48:12ZRevision history for this page on the wikiMediaWiki 1.41.0https://wiki.uniformserver.com/index.php?title=SSL_Part_1:_ssl.conf&diff=3104&oldid=prevRic: New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1: Home | [[...2008-06-09T17:39:45Z<p>New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | <a href="/File:Uc_small_logo.gif" title="File:Uc small logo.gif"> MPG UniCenter</a> || SSL Part 1: <a href="/SSL_Part_1:_Home" title="SSL Part 1: Home"> Home</a> | [[...</p>
<p><b>New page</b></p><div><span id="top"></span><br />
<div style="padding:0;margin:0; border-bottom:3px inset #000000"><br />
{| <br />
| [[Image:uc_small_logo.gif | MPG UniCenter]] ||<br />
SSL Part 1: <br />
[[SSL Part 1: Home | Home]] | <br />
[[SSL Part 1: Apache Upgrade | Apache Upgrade]] | <br />
[[SSL Part 1: mod_ssl Install | mod_ssl Install]] | <br />
[[SSL Part 1: httpd.conf | httpd.conf]] |<br />
[[SSL Part 1: ssl.conf | ssl.conf]] | <br />
[[SSL Part 1: Key & Certificate |Key & Certificate]] | <br />
|}<br />
</div><br />
{| cellpadding="2"<br />
|<br />
__TOC__<br />
||<br />
'''mod_ssl Configuration ssl.conf'''<br>Uniform Server 3.5-Apollo<br />
|}<br />
On the previous page I covered the '''httpd''' configuration file this page looks at the '''ssl''' configuration file. I recommended you keep the two files separate this not only eases faultfinding but also has an additional benefit when experimenting.<br />
<br />
<table cellpadding="2"><br />
<tr><br />
<td width="50%" valign="top"><br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|- style="background:#e8e8e8;"<br />
! &nbsp;&nbsp;''ssl.conf''&nbsp;&nbsp;<br />
|- style="background:#f5f5f5;"<br />
|<br />
This configuration file isolates all secure directives it normally contains a single secure virtual host. This limitation is protocol imposed however running a personal server it is possible with some limitations to run more than one name based virtual host ([[SSL Part 1: Multi-Websites 1 | I cover this later]])<br />
|}<br />
</td><br />
<td><br />
&nbsp;<br />
</td><br />
<td width="50%"><br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|- style="background:#e8e8e8;"<br />
!&nbsp;&nbsp;''httpd.conf''&nbsp;&nbsp;<br />
|- style="background:#f5f5f5;"<br />
|<br />
This is the main Apache configuration file and should not contain any secure directives. '''Comment''' out the line as shown '''<nowiki>#LoadModule ssl_module modules/mod_ssl.so</nowiki>''' and Apache will function solely as a non-secure server.<br />
<br />
'''Uncomment''' the above line and Apache loads module '''mod_ssl.so''' this in turn instructs Apache to load the configuration file '''ssl.conf'''. If you wish you can place all the directives into the main configuration file it just makes fault finding more difficult.<br />
|}<br />
</td><br />
</tr><br />
</table><br />
<br />
== ssl.conf and Vhosts ==<br />
This configuration file is relatively self-contained change the domain name from unicenterdemo12.dyndns.org to unicenter.gotdns.org (use your real domain name) and the root folder if you have renamed that.<br />
<br />
Open file '''ssl.conf''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\usr\local\apache2\conf''' the only change that needs to be made is in the Vhost section highlighted in bold.<br />
<br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|- style="background:#e8e8e8;"<br />
!&nbsp;&nbsp;''NEW''&nbsp;&nbsp;<br />
|- style="background:#f5f5f5;"<br />
|<br />
<nowiki>#########################&nbsp;Global&nbsp;SSL&nbsp;###############################</nowiki><br />
Listen 443<br><br />
<nowiki>#==</nowiki> Some MIME-types for downloading Certificates and CRLs<br><br />
AddType application/x-x509-ca-cert .crt<br><br />
AddType application/x-pkcs7-crl .crl<br />
<br />
<nowiki>#==</nowiki> Pass Phrase Dialog:(`builtin' is a internal terminal dialog)<br><br />
SSLPassPhraseDialog builtin<br />
<br />
<nowiki>#==</nowiki> Inter-Process Session Cache:<br />
<br />
<nowiki>##</nowiki>SSLSessionCache none<br><br />
<nowiki>##</nowiki>SSLSessionCacheTimeout 300<br />
<br />
SSLSessionCache shmcb:logs/ssl_scache(512000)<br />
SSLSessionCacheTimeout 300<br />
<br />
<nowiki>#==</nowiki> SSL engine uses internally for inter-process synchronization.<br><br />
SSLMutex default<br />
<br />
<nowiki>#==</nowiki> Pseudo Random Number Generator (PRNG):<br />
<br />
SSLRandomSeed startup builtin<br><br />
SSLRandomSeed connect builtin<br />
<br />
<nowiki>########### SSL Virtual Host ############################</nowiki><br />
<br />
NameVirtualHost <nowiki>*</nowiki>:443<br />
<br />
<VirtualHost _default_:443><br />
<br />
ServerName '''unicenter.gotdns.org'''<br><br />
DocumentRoot /www/site3<br><br />
ServerAdmin you@example.com<br />
<br />
ErrorLog logs/error_ssl.log<br><br />
TransferLog logs/access_ssl.log<br />
<br />
<nowiki>#==</nowiki> SSL Engine Switch:<br />
SSLEngine on<br />
<br />
<nowiki>#==</nowiki> SSL Cipher Suite:<br><br />
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br><br />
SSLProtocol all -SSLv2<br />
<br />
<nowiki>#==</nowiki> Server Certificate:<br><br />
SSLCertificateFile conf/ssl.crt/server.crt<br />
<br />
<nowiki>#==</nowiki> Server Private Key:<br><br />
SSLCertificateKeyFile conf/ssl.key/server.key<br />
<br />
<nowiki>#</nowiki> This enables optimized SSL connection renegotiation handling when SSL<br><br />
<nowiki>#</nowiki> directives are used in per-directory context.<br />
<br />
<nowiki>#==</nowiki> SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire<br><br />
<FilesMatch "\.(cgi|shtml|phtml|php3?)$"><br><br />
SSLOptions +StdEnvVars<br><br />
</FilesMatch><br />
<br />
<Directory "/home/admin/www/cgi-bin/"><br><br />
SSLOptions +StdEnvVars<br><br />
</Directory><br />
<br />
<nowiki>#==</nowiki> Basic authentication<br />
<br />
<Directory "/www/site3"><br><br />
&nbsp;&nbsp;AuthName "Uniform Server - Unicenter Demo Server Access"<br><br />
&nbsp;&nbsp;AuthType Basic<br><br />
&nbsp;&nbsp;AuthUserFile /htpasswd/modsslpass/.htpasswd<br><br />
&nbsp;&nbsp;Require valid-user<br />
</Directory><br />
<br />
<nowiki>#==</nowiki> Most problems of broken clients are related to the HTTP<br><br />
<nowiki>#</nowiki> keep-alive facility. Disable keep-alive for those clients.<br><br />
SetEnvIf User-Agent ".*MSIE.*" \<br><br />
nokeepalive ssl-unclean-shutdown \<br><br />
downgrade-1.0 force-response-1.0<br />
<br />
<nowiki>#==</nowiki> Per-Server Logging:<br><br />
<nowiki>#</nowiki> The home of a custom SSL log file. Use this when you want a<br><br />
<nowiki>#</nowiki> compact non-error SSL logfile on a virtual host basis.<br><br />
CustomLog logs/ssl_request.log \<br><br />
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"<br />
<br />
</VirtualHost> <br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
== Basic Authentication ==<br />
For completeness my template installed basic authentication, if your requirement is to encrypt form data only and want the secure server public, disable basic authentication by commenting out these lines as shown:<br />
<br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|- style="background:#e8e8e8;"<br />
!&nbsp;&nbsp;''ssl.conf - basic authentication''&nbsp;&nbsp;<br />
|- style="background:#f5f5f5;"<br />
|<br />
<nowiki>#==</nowiki> Basic authentication<br />
<br />
<nowiki>#</nowiki><Directory "/www/site3"><br><br />
<nowiki>#</nowiki>&nbsp;&nbsp;AuthName&nbsp;"Uniform&nbsp;Server&nbsp;-&nbsp;Unicenter&nbsp;Demo&nbsp;Server&nbsp; Access"&nbsp;<br><br />
<nowiki>#</nowiki>&nbsp;&nbsp;AuthType Basic<br><br />
<nowiki>#</nowiki>&nbsp;&nbsp;AuthUserFile /htpasswd/modsslpass/.htpasswd<br><br />
<nowiki>#</nowiki>&nbsp;&nbsp;Require valid-user<br><br />
<nowiki>#</nowiki></Directory><br />
|}<br />
<br />
'''''Note''''': In this case there is no need to change the password file<br />
<br />
=== Name and Password ===<br />
If you wish to retain basic authentication change the name and password in file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\modsslpass''' it currently contains the following: <br />
<br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|-<br />
!style="background:#e8e8e8;"|&nbsp;&nbsp;''File name'': .htpasswd&nbsp;&nbsp;<br />
!style="background:#ffffff;"|&nbsp;&nbsp;''Comments''&nbsp;&nbsp;<br />
|-<br />
|style="background:#f5f5f5;"|<br />
name:password<br />
|style="background:#ffffff;"|<br />
Choose a suitable name and password remember to '''separate''' them '''with''' a '''colon'''<br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
== Test ==<br />
You now have a fully configured server that uses your domain name. A quick test run the following (substitute your domain name for unicenter.gotdns.org):<br />
<br />
{| cellpadding="2" cellspacing="1" style="background:#000000;"<br />
|-style="background:#e8e8e8;"<br />
!Test<br />
!Result<br />
|-style="background:#f5f5f5;"<br />
|&nbsp;1) Start the servers using Server_Start.bat&nbsp;||&nbsp;Normal server operation with apanel displayed.<br />
|-style="background:#f5f5f5;"<br />
|&nbsp;2) Type <nowiki>http://unicenter.gotdns.org/</nowiki>||&nbsp;Displays Site 1 home page<br />
|-style="background:#f5f5f5;"<br />
|&nbsp;3) Type <nowiki>http://news.unicenter.gotdns.org/</nowiki>||&nbsp;Displays Site 2 home page<br />
|-style="background:#f5f5f5;"<br />
|&nbsp;4) Type <nowiki>http://cars.unicenter.gotdns.org/</nowiki>||&nbsp;Displays unsecured default page<br />
|-style="background:#f5f5f5;"<br />
|&nbsp;5) Type <nowiki>https://unicenter.gotdns.org/</nowiki>||<br />
&nbsp;a) Pop-up displays Website Certified by an Unknown Authority - Click Accept temporarily this session&nbsp;<br><br />
&nbsp;b) Security Error: Domain Name Mismatch - Click OK<br><br />
&nbsp;c) (If enabled) Authentication Required - Type in name and password - click Ok<br><br />
&nbsp;d) Padlock closed and page Site 3 home page displayed<br />
|}<br />
<br />
== Summary ==<br />
The certificate installed was purely for testing to fully secure your server you must create a new key and certificate this final step is described on the [[SSL Part 1: Key & Certificate |next page]]. Note this will also remove the alert in test 5b.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
----<br />
<br />
{| <br />
| [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]]<br />
|}<br />
<br />
[[Category: UniCenter]]<br />
[[Category: Support]]<br />
[[Category: Installation]]<br />
[[Category: Application]]<br />
[[Category: Development]]</div>Ric