PHP-Installing Apache to Use SSL

Published: 01st May 2009
Views: N/A
Ask About This Article Print Republish This Article


PHP-Installing Apache to Use SSL



This section describes how to install a secure version of the Apache web

server. There are three major differences encountered when installing Apache to

use SSL versus installing Apache normally:





Secure Sockets Layer software is required.



There are several sources of Secure Sockets Layer software. The OpenSSL is

probably the most-commonly used with Apache


SSL patches must be applied to the Apache

code before it is configured and

compiled.


Unlike installing other Apache modules, SSL installation requires that the

core Apache source code be modified or patched. Normal Apache modules-such as

the PHP module-interact with Apache using a defined application programming

interface or API. The Apache API provides functions that hide the details of

dealing with HTTP from Apache module developers.

However, the code that implements SSL needs to encrypt and decrypt HTTP

requests and responses. The Apache API is aimed at the wrong level, and SSL



patches need to be applied to Apache. There are several open source and

commercial SSL extensions and patches to Apache available. ApacheSSL (http://www.apache-ssl.org

) and mod_ssl (http://www.modssl.org)

are both open source and easy to install. We describe the installation of

ApacheSSL in this section.


A site certificate needs to be obtained and

configured.


A self-signed certificate can be created, but it needs to replaced with a

purchased certificate from a Certification Authority when an application goes

live. There are dozens of organizations that can provide authoritative

certificates, including companies such as Verisign and Thawte.




A.3.1 Installing OpenSSL





  1. Get the latest version of the OpenSSL from



    http://www.openssl.org/source/    . Download the Unix tar-ed and

    gzip    -ed file under the heading "Tarball." For example, download the file

    openssl-0.9.6a.tar.gz.


  2. Put the distribution file in a directory that can be used to build the


    OpenSSL libraries. In our installation instructions, we use /usr/local/.

    The default installation process installs OpenSSL in /usr/local/ssl. To

    use /usr/local/, log in as the root user of

    the Linux installation; in any case, root access is

    required in Step 5 to install in the default location.


  3. Uncompress and un-tar the distribution file in the new installation

    directory using gzip and tar. If the version downloaded was

    0.9.6a, the commands are:

    % gzip -d openssl-0.9.6a.tar.gz

    
% tar xvf openssl-0.9.6a.tar


    The distribution files are listed as they are extracted from the tar

    file.



  4. Change the directory to the openssl source directory, run the

    config     script, and then make the installation. Assuming the version

    downloaded is 0.9.6a, the commands are:

    % cd openssl-0.9.6a

    
% ./config

    
% make

    
% make test


    To install OpenSSL in a directory other than /usr/local/ssl, run

    config     with the openssldir=<directory-path>

    directive.



  5. Build the install binaries of SSL. To do this, log in as the

    root user, and then run the make install

    script:

    % make install


    This creates an installation of SSL in the directory /usr/local/ssl.





A.3.2 Installing Apache and ApacheSSL



Both Apache and ApacheSSL need to be installed together, and the ApacheSSL

version must match the Apache version. ApacheSSL may not always be available for

the latest version of Apache, so it is worth checking out the latest ApacheSSL

version first. The current version of ApacheSSL is applied to Apache 1.3.19.





  1. Get the latest version of ApacheSSL by selecting a download site from



    http://www.apache-ssl.org/     Download the tar-ed and gzip-ed

    distribution file. For example, apache_1.3.19+ssl_1.44.tar.gz.


  2. Get the matching version of the Apache web server source code that also

    ends with .tar.gz from



    http://www.apache.org/dist/httpd/    . For example, if the ApacheSSL version

    downloaded in Step 1 was apache_1.3.19+ssl_1.44.tar.gz, retrieve

    apache_1.3.19.tar.gz    .


  3. Put the Apache distribution file in the base directory where the

    installation is to be performed. For these instructions, use /usr/local/

    as in the Apache installation instructions earlier in this appendix.


  4. Unpack the Apache package first by running gzip -d

    <filename> and tar xvf

    <filename>. With Apache Version 1.3.19:

    % cd /usr/local

    
% gzip -d apache_1.3.19.tar.gz

    
% tar xvf apache_1.3.19.tar


    This creates an apache_1.3.19 source directory. Record the directory

    name that was created to use in the next steps. It's assumed from here on that

    the version is 1.3.19, and the directory is apache_1.3.19.



  5. Copy the ApacheSSL distribution into the directory created in Step 4 that

    already contains the Apache source:

    % cp apache_1.3.19+ssl_1.44.tar.gz /usr/local/apache_1.3.19




  6. Unpack the ApacheSSL distribution:
    % cd /usr/local/apache_1.3.19

    
% gzip -d apache_1.3.19+ssl_1.44.tar.gz

    
% tar xvf apache_1.3.19+ssl_1.44.tar




  7. Apply the patches using the FixPatch script that comes with

    ApacheSSL. This script copies the appropriate files from the OpenSSL

    installation:

    % ./FixPatch /usr/local/ssl




  8. Type yes when prompted:
    Do you want me to apply the fixed-up Apache-SSL patch for you? [n] yes




  9. You've now applied the patches to Apache and can continue with the normal

    installation by following Steps 6 to 10 in the Apache installation

    instructions earlier in this appendix.




A.3.3 Creating a Key and Certificate



For ApacheSSL to operate, it needs to be configured with a private key and a

certificate. ApacheSSL comes with a script that runs the openssl utility

to create a key and a self-signed certificate. This is the easiest way to get

started. Once the key and certificate have been created, they need to be

configured into Apache. Again, the version of Apache and the patch applied are

assumed to be Version 1.3.19; if a different version is used, the following

steps need to be changed to include the correct directories based on the version

number.





  1. Create the key and signed certificate.
    % cd /usr/local/apache_1.3.19/src

    
% make certificate




  2. The make certificate script asks for several fields including

    country, state, organization name, and the machine hostname encoded into the

    certificate. The script produces a file that contains both the private key and

    the signed certificate:

    /usr/local/apache_1.3.19/SSLconf/conf/httpsd.pem




  3. After logging in as the root user, copy the key

    and certificate file into the Apache installation:

    % cd /usr/local/apache_1.3.19/SSLconf/conf

    
% cp httpsd.pem /usr/local/apache/conf/default.pem




  4. Modify the httpsd.conf file with a text editor so that PHP files

    are processed by the PHP scripting engine. The configuration file is found in

    the directory /usr/local/apache/conf/. Remove the initial

    # character from the following line:

    AddType application/x-httpd-php .php




  5. Modify the httpsd.conf file by changing the

    Port     from 80 to the secure web server port

    443:

    Port 443




  6. Add the following lines to the end of the httpsd.conf file:

    #

    
# SSL Parameters

    
#

    
SSLCACertificateFile /usr/local/apache/conf/default.pem

    
SSLCertificateFile /usr/local/apache/conf/default.pem

    
SSLCacheServerPath /usr/local/apache/bin/gcache

    
SSLCacheServerPort 18698

    
SSLSessionCacheTimeout 3600




  7. Start Apache. Unlike a normal Apache installation, ApacheSSL creates an

    httpsdctl     script:

    % /usr/local/apache/bin/httpsdctl start


    In some cases, this doesn't correctly start Apache. If this happens, use

    the following alternative commands to explicitly specify the configuration

    file to use with the secure Apache: 



    % cd /usr/local/apache/

    
% bin/httpsd -f conf/httpsd.conf




  8. A secure Apache is now running and serving requests on port 443-the

    default HTTPS port-with SSL. This can be tested by requesting the resource

    https://localhost/     with a web browser. The installation process is now

    complete.




When a resource such as https://localhost/ is requested with a

browser, the browser alerts the user to an unknown certificate. To obtain a

certificate that will be trusted by users, the openssl utility needs to

be run to create a private key and a certificate request. The certificate

request is then sent to a Certification Authority to be signed using their

authoritative certificates. There is a fee for this service. While the Apache

configuration allows both the key and the certificate to be placed in the one

file, the private key should not be sent to anyone, not even the Certification

Authority.



If a trusted certificate is required, consult the OpenSSL documentation that

describes how to create keys and Certificate Signing Requests. This

documentation can be found at



http://www.openssl.org/docs/apps/openssl.html.



More PHP Tutorial




This article is free for republishing
Source: http://alimox.articlealley.com/phpinstalling-apache-to-use-ssl-876222.html


Report this article Ask About This Article Print Republish This Article


Loading...
More to Explore
Girlfriend Sayings An Electric Car for the Family Top 10 Beaches in the World Top 10 European Ski Resorts Top 10 High Demand High Paying Jobs in Australia
 


Ask a Professional Online Now
27 Experts are Online. Ask a Question, Get an Answer ASAP.
Type your question here...
Optional:
Select...