Apache with ssl support should be the basic platform for
providing web services...
There are several different
implementations to choose from, some commercial (stronghold) and some
open source (apache+ssl, apache+modssl). We've chosen to work with
apache+modssl.
You can use the FreeBSD ports copy of apache, or build your own. Much of how you install and configure Apache will depend on how the server will be used.
Will the server host lots of user websites, or just a few web-sites?
Is the machine to be a dedicated webserver
Is the webserver an interface to other applications
We're going to build apache with one optional component
ssl support
Optionally You can also get mm-1.3.0.tar.gz
a Shared Memory Library in APACHE/EAPI
Get them from ftp://noc.t1.ws.afnog.org/pub/src
and drop them in $HOME/src
(substituting $HOME with your home directory)
tar -zxvf
openssl-0.9.7d.tar.gz
cd openssl-0.9.7d/
Take a look at the
README and INSTALL files.
$ sh config no-threads -fPIC
$ make
$ make test
$ cd ..
NOTE: OpenSSL understands a lot more options on the `config'
command line. For instance you can add some command line
options (like `-DSSL_FORBID_ENULL' for not allowing Null
encryptions, or adding `-DSSL_ALLOW_ADH' for allowing
Anonymous Diffie-Hellman ciphers, etc) to adjust the OpenSSL
internals (see OpenSSL's top-level Makefile for details).
NOTE: When your system already has OpenSSL installed (for instance some
Linux distributions ship with OpenSSL installed out-of-the-box) in
system locations you can ignore the OpenSSL steps above, too. Then
use `SSL_BASE=SYSTEM' instead of `SSL_BASE=../openssl-0.9.x'
and mod_ssl will search for OpenSSL's binary, header and library
files in $PATH and system locations.
NOTE: The -fPIC option builds OpenSSL with Position Independent Code
(PIC) which is only important when building mod_ssl as a
Dynamic Shared Object (DSO).
NOTE: The optional `no-threads' keyword above is to increase
performance inside OpenSSL, because Apache 1.3 does not
use threads anyway. However, OpenSSL, if built without
`no-threads', by default builds with multi-threading support.
This multi-threading support involves using locking around a
lot of internal object manipulation (esp. reference counts).
The fact that it is not possible in Apache 1.3 to have
threads racing on any kind of object internal to OpenSSL
means that any overhead (memory and/or time) relating to
these locking mechanisms is wasted by default.
Optionally you now can build the MM Shared Memory library when you want shared memory support in Apache/EAPI. For instance this allows mod_ssl to use a high-performance RAM-based session cache instead of a disk-based one.
$ tar xvzf mm-1.3.0.tar.gz
$ cd mm-1.3.0
$ ./configure
--disable-shared
$ make
$ cd ..
NOTE: When your system already has MM installed in system locations
you can ignore the steps above and then use `EAPI_MM=SYSTEM'
instead of `EAPI_MM=../mm-1.1.x' below.
NOTE: Do not forget the --disable-shared option above. Else you've
to establish an explicit LD_LIBRARY_PATH which includes the
/path/to/mm-1.1.x/.libs/ directory or the compilation of Apache
will fail because the shared library cannot be found.
Now apply the mod_ssl source extension and source patches to the Apache source tree, configure the Apache sources and build Apache with mod_ssl and OpenSSL.
$ tar xvzf
apache_1.3.31.tar.gz
$ tar xvzf
mod_ssl-2.8.17-1.3.31.tar.gz
$ cd mod_ssl-2.8.17-1.3.31
$ ./configure
--with-apache=../apache_1.3.31 --with-ssl=../openssl-0.9.7d
--with-mm=../mm-1.3.0 --prefix=/usr/local/apache
$ cd ../apache_1.3.31
$ make
$ make certificate
TYPE=custom
follow the following
selections (press enter for the defaults which are shown like [this]
if they match what we want):
Select RSA Enter your country code Enter State/county or province Enter a locality Enter your organization Enter the Unit/Group Common name Email address Enter the length of time the certificate should be valid (days) Select ssl3 Enter a country code Enter a state Enter a Locality Enter an organization Enter your common name Enter your mail address Enter the length of time the certificate should be valid (days) Select certficate version 3 Say N to leave the private key unencrypted
$ make install
$ cd ..
NOTE: The --enable-shared=ssl option enables the building of mod_ssl
as a DSO `libssl.so'. Read the INSTALL and
htdocs/manual/dso.html documents in the Apache source tree for
more information about DSO support in Apache. It is advisable for
ISPs and package maintainers to use the DSO facility for maximum
flexibility with mod_ssl. But notice that DSO is not supported
by Apache on all platforms.
/usr/local/apache/bin/apachectl startssl
and then firing up your browser and going to https://localhost
using ssl means you're running two virtual servers
one on port 80 (the
regular server)
one on port 443 (the
ssl server)
You have more directories to keep track of because of your keys
the key that was generated is valid for only one hostname
So, a key per virtual host is a good idea if you're doing virtual hosts with ssl servers as well
Unsigned keys are fine for things like running your webmail services through ssl, for ecommerce type applications having a key signed by a reliable CA (certificate authority) is considered normal.
CA's include Verisign (USA), Thawte (South Africa) and others
Last modified: Tue May 18 12:18:01 GMT 2004