Apache
Contenido
Enabling SSL
Apache 2
Habilitamos el modulo ssl:
a2enmod ssl
Ejecutamos un script para crear nuestro certificado de seguridad para el servidor (estara autofirmado).
#For Debian Sarge apache2-ssl-certificate --force -days 999 #For Debian Etch make-ssl-cert #apache2-ssl-certificate
Ahora crearemos la configuracion de "el sitio" para el servidor seguro basandonos en la que lleva por defecto:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
/etc/apache2/sites-enabled/ssl tiene que empezar de la siguiente manera:
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/ssl.jhernandez.gpltarragona.org/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/ssl.jhernandez.gpltarragona.org/htdocs>
#[...aquí sigue...]
Tenes que cambiar lo de directory según el directorio que queres... Ahora, /etc/apache2/sites-enabled/default también hay que configurarlo de la misma forma:
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/jhernandez.gpltarragona.org/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/jhernandez.gpltarragona.org/htdocs>
#[...aquí sigue...]
Ahora añade en el fichero /etc/apache2/ports.conf:
Listen 443
Por último, sólo basta añadir dentro del fichero "/etc/apache2/sites-enabled/ssl" dentro del VirtualHost (por ejemplo justo debajo de "ServerSignature On"):
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Y por último, reiniciamos apache2:
/etc/init.d/apache2 force-reload
Apache 1.x
Para activar SSL en apache 1.x tenemos 2 alternativas principales
- ssl_mod - http://www.modssl.org
- apache-ssl - http://www.modssl.org
Informacion comparativa
La discucion de cual conviene usar es larga y va a depender de para que queramos usar el webserver
There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC3
mod_ssl is derived originally from Apache SSL mod_ssl is more widely used than Apache SSL
2) mod_ssl is better written and reported to run faster on all platforms. It better integrates with Apache - without rough patching Apache's code.
3) the documentation is better for mod_ssl. Its mailing list is also more active and helpful.
4) mod_ssl is easier to install.
5) mod_ssl has more options and much better configurable.
Apache-SSL is a monolithic program with the SSL functionality hard-coded into apache. This leads to a large binary. Also, many SSL directives are
- required* in the config in order for it to work.
mod_ssl allows you to add or remove SSL functionality to an already working apache (assuming you compiled with EAPI and DSO). So you have more flexibility.
In a single server set-up, there is probably little to choose from between the two, however, I could imagine a multi-apache environment where you wanted some servers with SSL and some without. mod_ssl would be a good choice there.
As far as I can see, there is no difference between Apache-SSL and apache with mod_ssl statically compiled - both lead to a monolithic, SSL-aware binary.
Finally, in my experience, mod_ssl tracks apache updates really fast. Usually a new mod_ssl is ready within a day of a new apache version. Apache-SSL tends to be slower and is sometimes a few versions behind
Despues de leer toda esta informacion considero que es mejor empezar con mod_ssl
Configuracion de mod_ssl
Documentacion: http://www.modssl.org/docs/2.8/
Desinstalar el apache-ssl para no confundirnos
apt-get remove --purge apache-ssl
- Generar la clave:
dpkg-reconfigure libapache-mod-ssl
(No poner passphrase)
- Crear /etc/apache/conf.d/ssl.conf
Listen 80
Listen 443
<VirtualHost *:443>
DocumentRoot "/home/webserver/root"
SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
</VirtualHost>
Directorios en /etc/apache
- ssl.crl : Certificate revocation list. Put revoked certificates here. we don't need to worry about this folder at the moment.
- ssl.crt : This is where the certificates are stored.
- ssl.csr : For certificate signing requests.
- ssl.key : The keys go here.
- ssl.prm : Contains the parameter files for creating the keys.
Archivo htaccess
.htaccess
AuthName "Restricted Area" AuthType Basic AuthUserFile ../.htpasswd <Limit GET POST> require user gabriel </Limit> Options Indexes Includes FollowSymLinks IndexOptions +FoldersFirst +IconsAreLinks +ScanHTMLTitles
Crear archivo de passwords
htpasswd -c .htpasswd someuser
Agregar un nuevo usuario
htpasswd .htpasswd someuser
password a un solo archivo
Si queres poner passwd a un solo archivo lo mejor es crear un archivo de conf tipo /etc/apache2/conf.d/permisos.conf con algo como
<Location "/cgi-bin/awstats.pl"> AuthType Basic AuthName "GACQ.com Protected" AuthUserFile /xxx/xxx/.htpasswd require user xxx </Location>
mod_rewrite
Despues de habilitar el modulo
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /newwebmail>
RewriteEngine on
RewriteRule ^.*$ http://mail/webmail/ [R,L]
</Location>
</IfModule>
</IfModule>
Con y sin www
Si queremos que todos los accesos se redirijan a un dominio con www, debemos añadir
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
Si lo que pretendemos es eliminar el prefijo www de nuestros accesos, este es el código
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
Mas facil y mejor sin el mod_rewrite
<VirtualHost *:80>
ServerName dotproject.refert.com
ServerAlias dotproject.refert.com.ar
ServerAlias dotproject
Redirect permanent / https://dotproject.refert.com.ar/
</VirtualHost>
tambien existe:
RedirectMatch permanent <REGEX> <destino>
Segurizando el apache
PHP
Allowed memory size of XXXX bytes exhausted
Hay que subir el default de la memoria de PHP de 8 MB a algo asi como 32 esta bien
vi /etc/php4/apache2/php.ini memory_limit = 32M
CGI
Mini CGI
#!/usr/bin/sh echo "Content-type: text/html" echo "" echo "<html>" echo "<body>" pwd echo "</body>" echo "</html>"
Performance
mod_security 2.5 for Etch
- add to /etc/apt/sources.list
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/2.5.x/etch ./
- Import keys
gpg --keyserver subkeys.pgp.net --recv-keys EA8E8B2116BA136C gpg --export --armor EA8E8B2116BA136C | apt-key add -
- Install
apt-get update apt-get install libapache2-mod-security2
