Bernard Szlachta: /* Exercise */

2013-06-05T08:20:24Z

Exercise

New page

{{Cat|Apache}}

== nginx and SSL ==
* Encrypted transport over which HTTP runs
* Decent performance with nginx
* Can be combined with other features
** Apache can handle SSL and proxy to another application

== Installing mod_ssl ==
* SSL not included by default in EL5
* `yum -y install mod_ssl` to install
* Will receive errors like '`Invalid command 'SSLEngine'`' if not installed

== SSL ==
* Public key encryption
* **Private key** - should exist only on the server and not be transferred
* **Certificate** - purchased from a third party who (should) verify that the recipient really is who they say they are
* Safe to copy wherever/however you like - a copy given to every visitor to the website

== Getting an SSL certificate ==
* First, generate a private key
$ openssl genrsa -des3 -out server.key 2048
* Next, generate a certificate signing request (CSR)
$ openssl req -new -key server.key -out server.csr
* Now give the CSR to wherever you are buying the certificate from, and
wait for them to send you an SSL cert

== Using SSL Certificates ==
* When you receive the SSL certificate, you will also receive an intermediary certificate
* On Apache, this can be kept in its own file
* If you have more than one intermediary, these must be combined into a single file

== Adding SSL to Apache ==

<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/html

SSLEngine On
SSLProtocol all -SSLv2
SSLCertificateKeyFile /etc/httpd/server.key
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateChainFile /etc/httpd/intermediate.crt
</VirtualHost>

== Exercise ==

* Generate a private key + CSR, send to me to be signed
* Install provided certificate
* Make /foo proxy to the server on localhost:8000

== Removing password from the key ==
openssl rsa -in server.key -out server-nopw.key

Apache SSL - Revision history

Bernard Szlachta: /* Exercise */