Apache SSL: Difference between revisions

nginx and SSL

• Encrypted transport over which HTTP runs
• Decent performance with nginx
• Can be combined with other features
  • Apache can handle SSL and proxy to another application

Installing mod_ssl

• SSL not included by default in EL5
• `yum -y install mod_ssl` to install
• Will receive errors like '`Invalid command 'SSLEngine'`' if not installed

SSL

• Public key encryption
• **Private key** - should exist only on the server and not be transferred
• **Certificate** - purchased from a third party who (should) verify that the recipient really is who they say they are
• Safe to copy wherever/however you like - a copy given to every visitor to the website

Getting an SSL certificate

• First, generate a private key

$ openssl genrsa -des3 -out server.key 2048

• Next, generate a certificate signing request (CSR)

$ openssl req -new -key server.key -out server.csr

• Now give the CSR to wherever you are buying the certificate from, and

 wait for them to send you an SSL cert

Using SSL Certificates

• When you receive the SSL certificate, you will also receive an intermediary certificate
• On Apache, this can be kept in its own file
• If you have more than one intermediary, these must be combined into a single file

Adding SSL to Apache

<VirtualHost *:443> 
ServerName www.example.com
DocumentRoot /var/www/html 

SSLEngine On
SSLProtocol all -SSLv2
SSLCertificateKeyFile /etc/httpd/server.key
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateChainFile /etc/httpd/intermediate.crt
</VirtualHost>

Exercise

• Generate a private key + CSR, send to me to be signed
• Install provided certificate
• Make /foo proxy to the server on localhost:8000

Removing password from the key

openssl rsa -in server.key -out server-nopw.key