Apache

Mar 10, 2016
5 min read
Jun 30, 2023 16:33 EEST

SSL

Insert the following into your ssl.conf and continue creating the keys:

SSLCertificateFile /etc/mail/certs/newcert.pem
SSLCertificateKeyFile /etc/mail/certs/req.pem
SSLCertificateChainFile /etc/mail/certs/cacert.pem

New certificate

To create a certificate do the following:

Generate the CA key:

cd /etc/mail/certs/
edit CA.pl and set days to high value like 10-20 years
maybe edit /etc/ssl/openssl.cnf
/usr/src/crypto/openssl/apps/CA.pl -newca
cp demoCA/cacert.pem .

Generate keypair:

edit CA.pl again and set it to 1-2 years
/usr/src/crypto/openssl/apps/CA.pl -newreq
as COMMON NAME put FQDN

Sign the keypair:

/usr/src/crypto/openssl/apps/CA.pl -sign

Remove the password from keypair:

openssl rsa -in newkey.pem -out req.pem
rm newreq.pem
chmod 0600 *

Chain of Trust

To add you self created CA to the chain of trust you must import the file cacert.pem on all computers and select trust completely.

Renew a certificate

Sign the keypair:

cd /etc/mail/certs
/usr/src/crypto/openssl/apps/CA.pl -sign

see:

Convert PEM to DER to import on Android

To convert your own CA to a format Android can read use:

openssl x509 -inform PEM -outform DER -in newcert.pem -out CA.crt

StartSSL

To create your certificate (same for renewal) by going to http://startssl.com and login. To have a secure key, make sure we have the following settings in /etc/ssl/openssl.cnf:

default_md      = sha2                  # which md to use.
default_bits            = 4096

Create your key:

/usr/src/crypto/openssl/apps/CA.pl -newreq

Copy the content of newreq.pem to the certificate request on startssl.com. Store the content from startssl.com to a file ssl.crt.

Remove the passphrase with:

openssl rsa -in newkey.pem -out ssl.key

Download the files from startssl.com:

wget -N https://www.startssl.com/certs/sub.class1.server.ca.pem
wget -N https://www.startssl.com/certs/ca.pem

You have the following:

Datei Beschreibung
ca.pem startssl root certificate
sub.class1.server.ca.pem startssl intermediate certificate
newkey.pem encrypted private key
newreq.pem certificate request
ssl.key decrypted private key
ssl.crt certificate for your key, signed by startssl.com

Configure your apache:

        SSLCertificateFile /usr/local/etc/apache22/ssl/ssl.crt
        SSLCertificateKeyFile /usr/local/etc/apache22/ssl/ssl.key
        SSLCertificateChainFile /usr/local/etc/apache22/ssl/sub.class1.server.ca.pem
        SSLCACertificateFile /usr/local/etc/apache22/ssl/ca.pem

Create Certificate with more than one (Wildcard)-Domain

Create openssl config file name openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bayern
localityName = Locality Name (eg, city)
localityName_default = Munich
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = FM-Data
commonName = FM-Data
commonName_max  = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.fechner.net
DNS.2 = *.idefix.lan
openssl genrsa -out newkey.pem 4096
openssl req -new -out san_idefix_lan.csr -key newkey.pem -config openssl.cnf
openssl req -text -noout -in san_idefix_lan.csr
openssl x509 -req -days 3650 -in san_idefix_lan.csr -signkey newkey.pem -out
mv san_idefix_lan.csr cacert.pem
openssl x509 -req -days 3650 -in cacert.pem -signkey newkey.pem -out newreq.pem -extensions v3_req -extfile openssl.cnf
mv newreq.pem newcert.pem
mv newkey.pem  req.pem

See http://apetec.com/support/GenerateSAN-CSR.htm

Secure SSL connection

Based on this calculator https://mozilla.github.io/server-side-tls/ssl-config-generator/

/usr/local/etc/apache24/extra/httpd-ssl.conf
...
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Check SSL chipers

nmap -p 993 --script ssl-enum-ciphers hostname

Tomcat Connector

To conffigure the tomcat connector for apache 2.4 I added in the httpd.conf:

Include conf/tomcat_connector.conf

And configure then all in the tomcat_connector.conf:

LoadModule jk_module modules/mod_jk.so

# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile "conf/workers.properties"

# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile     "logs/mod_jk.shm"

<VirtualHost _default_:80>
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile     "logs/mod_jk.log"

# Set the jk log level [debug/error/info]
JkLogLevel    error

# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

# Define the mapping
JkMountFile		"conf/uriworkermap.properties"
</VirtualHost>

Enable IE Quirks Mode

Sometimes you have a buggy website and the company is not willing to fix the problems on it. The website only works if the IE is forced to Quirks mode. To get this fixed with apache you can use the module headers_module. To enable it load the module:

LoadModule headers_module modules/mod_headers.so

Now add to your virtual host the line:

Header set X-UA-Compatible "IE=5;charset=iso-8859-1"

SSL Certificate with Windows

Before you start, make sure you have a current version of apache from [[http://www.apachehaus.com/cgi-bin/download.plx|here]] installed. Do not forget the openssl update!

At first make sure that the path to openssl is in the windows path so we can execute the openssl command from the console. Path for me is d:\Apache24\bin.

To create a SSL certificate for apache with windows:

d:
cd apache24
cd conf
cd ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout hostname.key -out hostname.crt

Add to your virtual host config something like this:

<VirtualHost _default_:443>
ServerName hostname
...
# SSL configuration
SSLEngine on
SSLCertificateFile conf/ssl/hostname.crt
SSLCertificateKeyFile conf/ssl/hostname.key
SSLCertificateChainFile conf/ssl/hostname.crt
</VirtualHost>

Using PHP together with Apache24

We use apache 2.4 together php-fpm to use the event model instead of the pre-fork module which memory consuming and slow. Make sure you have php-fpm running.

/etc/rc.conf
# PHP FPM
php_fpm_enable="YES"
service php-fpm restart

Make sure the proxy modules are loaded:

/usr/local/etc/apache24/httpd.conf
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so

In your virtalhost definition:

/usr/local/etc/apache24/Includes/phpmyadmin.conf
<VirtualHost *>
...
    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/opt/local/www/phpmyadmin/$1
    DirectoryIndex /index.php index.php

    <Directory /opt/local/www/phpmyadmin>
...

Related Posts