It took a bit of searching to finally figure out the right process for getting SSL running properly for Apache. I’ve used it before, of course, but hadn’t personally set it up myself yet.
Here is how to take a stock Red Hat 9 installation that has been updated with the latest patches and allow it to serve SSL pages:
- Ensure you have Apache running properly – you can tell if you can point your web browser on the server to http://localhost/ and you get the default web page
- Create your key and your certificate – Google should get you going on this one.
- Edit ssl.conf – modify the configuration to point at your newly created key and certificate
- Open up port 443 in your firewall – this assumes you’re using a high level of security on your server (definitely recommended).
# iptables -I RH-Lokkit-0-50-INPUT -p tcp --dport 443 -j ACCEPT
(The -I adds the rule to the beginning of the chain of rules for the table RH-Lokkit-0-50-INPUT, the -p indicates protocol (tcp), the (important to be double dash) –dport indicates the destination port (443 being the default SSL port), the -j indicating jump to ACCEPT (as opposed to DROP or FORWARD). I’m glad to finally begin to understand the exact syntax of iptables, but it is not the easiest to grasp immediatly. 🙂
- Visit your site at https:// instead of http://. Now your communication with the web server will be encrypted. Note that if you’re using a self-signed certificate your browser will alert you to the fact that a trusted third party has not signed the certificate. Just click Accept and you should be good to go.
Next stop: .htaccess protection with a php authentication class beyond that. And then maybe we’re starting to have a decently secure framework for developing and deploying the application.
User connects through layers:
[SSL] -> [Digest Authentication] ->
Digest Authentication md5’s the password so it’s not sent accross in plain text.
So the user 1) negotiates a secure, encrypted session with the server, 2) must enter a valid server username and password (which is then sent after md5 over SSL) and 3) must enter valid username for application. This is security for the paranoid. For the specialists… 🙂