Revisión actual del 12:13 31 oct 2008

Enabling SSL

Apache 2

Habilitamos el modulo ssl:

a2enmod ssl

Ejecutamos un script para crear nuestro certificado de seguridad para el servidor (estara autofirmado).

#For Debian Sarge
apache2-ssl-certificate --force -days 999
#For Debian Etch
make-ssl-cert
#apache2-ssl-certificate

Ahora crearemos la configuracion de "el sitio" para el servidor seguro basandonos en la que lleva por defecto:

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

/etc/apache2/sites-enabled/ssl tiene que empezar de la siguiente manera:

NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/ssl.jhernandez.gpltarragona.org/htdocs
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/ssl.jhernandez.gpltarragona.org/htdocs>
#[...aquí sigue...]

Tenes que cambiar lo de directory según el directorio que queres... Ahora, /etc/apache2/sites-enabled/default también hay que configurarlo de la misma forma:

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/jhernandez.gpltarragona.org/htdocs
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/jhernandez.gpltarragona.org/htdocs>
#[...aquí sigue...]

Ahora añade en el fichero /etc/apache2/ports.conf:

Listen 443

Por último, sólo basta añadir dentro del fichero "/etc/apache2/sites-enabled/ssl" dentro del VirtualHost (por ejemplo justo debajo de "ServerSignature On"):

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

Y por último, reiniciamos apache2:

/etc/init.d/apache2 force-reload

Apache 1.x

Para activar SSL en apache 1.x tenemos 2 alternativas principales

• ssl_mod - http://www.modssl.org
• apache-ssl - http://www.modssl.org

Informacion comparativa

La discucion de cual conviene usar es larga y va a depender de para que queramos usar el webserver

There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC3

mod_ssl is derived originally from Apache SSL mod_ssl is more widely used than Apache SSL

2) mod_ssl is better written and reported to run faster on all platforms. It better integrates with Apache - without rough patching Apache's code.

3) the documentation is better for mod_ssl. Its mailing list is also more active and helpful.

4) mod_ssl is easier to install.

5) mod_ssl has more options and much better configurable.

Apache-SSL is a monolithic program with the SSL functionality hard-coded into apache. This leads to a large binary. Also, many SSL directives are

• required* in the config in order for it to work.

mod_ssl allows you to add or remove SSL functionality to an already working apache (assuming you compiled with EAPI and DSO). So you have more flexibility.

In a single server set-up, there is probably little to choose from between the two, however, I could imagine a multi-apache environment where you wanted some servers with SSL and some without. mod_ssl would be a good choice there.

As far as I can see, there is no difference between Apache-SSL and apache with mod_ssl statically compiled - both lead to a monolithic, SSL-aware binary.

Finally, in my experience, mod_ssl tracks apache updates really fast. Usually a new mod_ssl is ready within a day of a new apache version. Apache-SSL tends to be slower and is sometimes a few versions behind

Despues de leer toda esta informacion considero que es mejor empezar con mod_ssl

Configuracion de mod_ssl

   Documentacion: http://www.modssl.org/docs/2.8/

Desinstalar el apache-ssl para no confundirnos

apt-get remove --purge apache-ssl

- Generar la clave:

dpkg-reconfigure libapache-mod-ssl

(No poner passphrase)

- Crear /etc/apache/conf.d/ssl.conf

Listen 80
Listen 443

<VirtualHost *:443>
    DocumentRoot "/home/webserver/root"
    SSLEngine on
    SSLCertificateFile /etc/apache/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache/ssl.key/server.key
</VirtualHost>

Directorios en /etc/apache

• ssl.crl : Certificate revocation list. Put revoked certificates here. we don't need to worry about this folder at the moment.
• ssl.crt : This is where the certificates are stored.
• ssl.csr : For certificate signing requests.
• ssl.key : The keys go here.
• ssl.prm : Contains the parameter files for creating the keys.

Archivo htaccess

.htaccess

AuthName "Restricted Area"
AuthType Basic
AuthUserFile ../.htpasswd
<Limit GET POST>
require user gabriel
</Limit>

Options Indexes Includes FollowSymLinks
IndexOptions +FoldersFirst +IconsAreLinks +ScanHTMLTitles

Crear archivo de passwords

htpasswd -c .htpasswd someuser

Agregar un nuevo usuario

htpasswd .htpasswd someuser

password a un solo archivo

Si queres poner passwd a un solo archivo lo mejor es crear un archivo de conf tipo /etc/apache2/conf.d/permisos.conf con algo como

<Location "/cgi-bin/awstats.pl">
  AuthType Basic
  AuthName "GACQ.com Protected"
  AuthUserFile /xxx/xxx/.htpasswd
  require user xxx
</Location>

mod_rewrite

Despues de habilitar el modulo

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /newwebmail>
      RewriteEngine on
      RewriteRule ^.*$ http://mail/webmail/ [R,L]
    </Location>
  </IfModule>
</IfModule>

Con y sin www

Si queremos que todos los accesos se redirijan a un dominio con www, debemos añadir

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

Si lo que pretendemos es eliminar el prefijo www de nuestros accesos, este es el código

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

Mas facil y mejor sin el mod_rewrite

<VirtualHost *:80>
    ServerName dotproject.refert.com
    ServerAlias dotproject.refert.com.ar
    ServerAlias dotproject

    Redirect permanent / https://dotproject.refert.com.ar/
</VirtualHost>

tambien existe:

RedirectMatch permanent <REGEX> <destino>

Segurizando el apache

• 20 ways to Secure your Apache Configuration
• Security Tips for Server Configuration (Version 1.3)

PHP

Allowed memory size of XXXX bytes exhausted

Hay que subir el default de la memoria de PHP de 8 MB a algo asi como 32 esta bien

vi /etc/php4/apache2/php.ini
memory_limit = 32M

CGI

Mini CGI

#!/usr/bin/sh
echo "Content-type: text/html"
echo ""
echo "<html>"
echo "<body>"
pwd
echo "</body>"
echo "</html>"

Performance

• Open Source: Configuring Apache - Don't Succumb To The "Slashdot Effect"

mod_security 2.5 for Etch

add to /etc/apt/sources.list

deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/2.5.x/etch ./

Import keys

gpg --keyserver subkeys.pgp.net --recv-keys C514AF8E4BA401C3
gpg --export --armor C514AF8E4BA401C3 | apt-key add -

Install

apt-get update
apt-get install libapache2-mod-security2

Configure

cp /usr/share/doc/mod-security2-common/examples/modsecurity.conf-minimal /etc/apache2/conf.d/modsecurity.conf

Edit

vi /etc/apache2/conf.d/modsecurity.conf

Restart Apache

/etc/init.d/apache2 restart