BBS水木清华站∶精华区

发信人: mv (蓝花·无争|19:50), 信区: Linux
标  题: Installing a secure web server
发信站: BBS 水木清华站 (Sat Dec 16 05:56:14 2000)

With ``e-commerce'' becoming an important part of many businesses, it's use
ful to know how to set up your server to run SSL for secure transfer of sens
itive information.
What's SSL?
SSL, which stands for Secure Socket Layers, is a protocol by which a client
(web browser) and server (Apache, for example) can communicate with one anot
her securely, using encrypted messages. Anyone intercepting the message will
receive only garbage, since the messages are encoded with the public keys o
f the conversants, but must be decrypted with their private keys, which are
not distributed.
Getting SSL
There are a variety of SSL solutions available, and you should probably chec
k out all the options before making the decision that is right for your busi
ness, or that of your clients.
Being an Open Source advocate, I am partial to OpenSSL. You can get OpenSSL
from http://www.openssl.org/ in source code form. It is free software, and y
ou can build it to run on whatever platform you are using.
As of this writing, the latest version of OpenSSL is 0.9.6. The file is appr
oximately 2 MB, so be prepared to wait a while.
You need to click on the ``Source'' link, and get the file that is labelled
as "LATEST".
Installing SSL
Please note that SSL is the engine, and you'll still need mod_ssl for the in
teraction between SSL and Apache.
Once you've downloaded OpenSSL, you will need to unpack it. Do this in the s
ame location where you have Apache source code unpacked. I'll assume for thi
s article that you're working in /usr/src.
     gunzip openssl-0.9.6.tar.gz
     tar -vxf openssl-0.9.6.tar
Then change into the openssl-0.9.6 directory, and type the following:
     ./config
     make
     make test
     make install
That's it. You're ready to move on to the next stage. For detailed instructi
ons and advanced options, read the INSTALL file.
Installing mod_ssl
Here's where things get interesting. mod_ssl has a reputation of being somew
hat difficult to install, but it does not need to be.
Warning: Make an effort to understand what you are doing before you do it. I
gave a very skimpy definition of SSL above. You really should read the refe
renced article. Security that you don't understand is much more likely to be
compromized than security which you know what it's doing.
Note also that you're going to need to rebuild Apache, so you should have th
e Apache source code handy also. Take this opportunity to upgrade to the lat
est version of Apache. 1.3.15 should be out real soon.
Get mod_ssl from http://www.modssl.org/ You should notice a resemblance betw
een this site and the OpenSSL web site. It's not a conicidence.
Download the latest source code file, and unpack it somewhere you can get to
it. It is useful to unpack it in the same place where you have your Apache
source code unpacked, such as in /usr/src, for example.
Now, follow the following carefully. This assumes that you have unpacked all
of these packages in /usr/src, and that you have the Apache source code, th
e OpenSSL source code, and the mod_ssl source code all there.
     cd mod_ssl-2.7.xxxx
     ./configure --with-apache=../apache_1.3.14 \
          --with-ssl=../openssl-0.9.6 \
          --with-crt=/path/to/your/server/certificate \
          --with-key=/path/to/your/server/key \
     cd ../apache_1.3.14
     make
     make install
And then you're done.
Yes, perhaps there's a little more to it than that.
Certificate
You need a certificate. It's going to cost you a little money. There are a f
ew companies (VeriSign, for example) that sell secure server certificates th
at are automatically accepted by the major browsers.
You can generate one of your own, but it will show up in the clients browser
window as possibly insecure, and they will have to verify that they are wil
ling to accept it.
Once you have gone through the painful process of purchasing a secure certif
icate, you'll be able to use the --with-crt and --with-key lines above to te
ll SSL to use those certificates.
If you don't have a certificate, skip those two lines, and add a make certif
icate between the make and the make install at the end of the process. This
will generate a test certificate for you to use while you're waiting for the
real one to arrive.
Configuration
The above process added a large number of directives to your configuration f
ile. You should look through httpd.conf and see what sorts of new things are
in there. As you learn more about SSL, the things in there will begin to ma
ke more sense. The purpose of this article is to get you running with SSL as
quickly as possible, and so I'm not going to spend a lot of time on configu
ration, except to make the following important point.
SSL and name-based virtual hosts
Because of the way SSL works, you can't use SSL on name-based virtual hosts.
There are no configuration tricks that you can to do make this work. SSL mu
st run on the primary name on the IP address to which it answers. This has t
o do with the order in which things are said in the SSL negotiation conversa
tion -- the secure connection is made before the client ever tells the serve
r what document it is looking for, so the virtual host negotiation is too la
te.
So, in order to run SSL on multiple virtual hosts, you'll need to use IP-bas
ed virtual hosts. This is being addressed in upcoming revisions to the SSL p
rotocol, but that could be a while away.
More information
One of the clearest explanations of how mod_ssl works is Ralf Engelschall's
talk from ApacheCon in London. You can see this talk at http://www.modssl.or
g/docs/apachecon2000/. I was able to attend that talk, and learned a lot of
interesting things.
The talk also has a step-by-step guide for installing mod_ssl. It does thing
s a little differently than I do above, and it might give you some additiona
l insight into what's going on.
Conclusion
The documentation that comes with OpenSSL and mod_ssl is pretty complete. Th
e trick is in knowing that you have to install both in order to make things
work. Reading the docs for both will teach you a lot about how the technolog
ies work, as well as how to get them working.

--

        影子与尘土

※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.168.2]