Red Hat HTTPD with mod_ssl

 

Red Hat HTTPD with mod_ssl

 

Introduction

This section provides information on creating a secure Web server using the Apache HTTP Server with the mod_ssl security module enabled to use the OpenSSL library and toolkit.

The mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, using regular HTTP, communications between a browser and a Web server are sent in plaintext, which could be intercepted and read by someone along the route between the browser and the server.

This chapter is not meant to be complete and exclusive documentation for any of these programs. When possible, this guide points to appropriate places where you can find more in-depth documentation on particular subjects.

This chapter shows you how to install these programs. You can also learn the steps necessary to generate a private key and a certificate request, how to generate your own self-signed certificate, and how to install a certificate to use with your secure server.

The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, have the statement Include conf.d/*.conf in /etc/httpd/conf/httpd.conf. This statement is included by default in the default Apache HTTP Server configuration file in Red Hat Linux 9.

 

Apache HTTP Server Configuration

In Red Hat Linux 8.0, the Apache HTTP Server was updated to version 2.0, which uses different configuration options. Also starting with Red Hat Linux 8.0, the RPM package was renamed httpd. If you want to migrate an existing configuration file by hand, refer to the migration guide at /usr/share/doc/httpd-<ver>/migration.html or the Red Hat Linux Reference Guide for details.

If you configured the Apache HTTP Server with the HTTP Configuration Tool in previous versions of Red Hat Linux and then performed an upgrade, you can use the application to migrate the configuration file to the new format for version 2.0. Start the HTTP Configuration Tool, make any changes to the configuration, and save it. The configuration file saved will be compatible with version 2.0.

The HTTP Configuration Tool allows you to configure the /etc/httpd/conf/httpd.conf configuration file for the Apache HTTP Server. It does not use the old srm.conf or access.conf configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections.

Only modules that are shipped with Red Hat Linux can be configured with HTTP Configuration Tool. If additional modules are installed, they can not be configured using this tool.

The httpd and redhat-config-httpd RPM packages need to be installed to use the HTTP Configuration Tool. It also requires the X Window System and root access. To start the application, go to the Main Menu Button => System Settings => Server Settings => HTTP Server or type the command redhat-config-httpd at a shell prompt (for example, in an XTerm or GNOME Terminal).

Do not edit the /etc/httpd/conf/httpd.conf configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.

The general steps for configuring the Apache HTTP Server using the HTTP Configuration Tool are as following:

  1. Configure the basic settings under the Main tab.

  2. Click on the Virtual Hosts tab and configure the default settings.

  3. Under the Virtual Hosts tab, configure the Default Virtual Host.

  4. If you want to serve more than one URL or virtual host, add the additional virtual hosts.

  5. Configure the server settings under the Server tab.

  6. Configure the connections settings under the Performance Tuning tab.

  7. Copy all necessary files to the DocumentRoot and cgi-bin directories.

  8. Exit the application and select to save your settings.

 

Basic Settings

Use the Main tab to configure the basic server settings.

Basic Settings

Enter a fully qualified domain name that you have the right to use in the Server Name text area. This option corresponds to the ServerName directive in httpd.conf. The ServerName directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might want to set the server name to www.example.com when your server's real DNS name is actually foo.example.com.

Enter the email address of the person who maintains the Web server in the Webmaster email address text area. This option corresponds to the ServerAdmin directive in httpd.conf. If you configure the server's error pages to contain an email address, this email address will be used so that users can report a problem by sending email to the server's administrator. The default value is root@localhost.

Use the Available Addresses area to define the ports on which the server will accept incoming requests. This option corresponds to the Listen directive in httpd.conf. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.

Click the Add button to define additional ports on which to accept requests. Either choose the Listen to all addresses option to listen to all IP addresses on the defined port or specify a particular IP address over which the server will accept connections in the Address field. Only specify one IP address per port number. If you want to specify more than one IP address with the same port number, create an entry for each IP address. If at all possible, use an IP address instead of a domain name to prevent a DNS lookup failure.

Entering an asterisk (*) in the Address field is the same as choosing Listen to all addresses. Clicking the Edit button in the Available Addresses frame shows the same window as the Add button except with the fields populated for the selected entry. To delete an entry, select it and click the Delete button.

If you set the server to listen to a port under 1024, be root to start it. For port 1024 and above, httpd can be started as a regular user.

Available Addresses

 

Additional Resources

To learn more about the Apache HTTP Server, refer to the following resources.

 

Installed Documentation

 

Useful Websites

 

Related Books

 

Default Settings

After defining the Server Name, Webmaster email address, and Available Addresses, click the Virtual Hosts tab and click the Edit Default Settings button. Configure the default settings for your Web server in this window. If you add a virtual host, the settings you configure for the virtual host take precedence for that virtual host. For a directive not defined within the virtual host settings, the default value is used.

 

Site Configuration

The default values for the Directory Page Search List and Error Pages will work for most servers. If you are unsure of these settings, do not modify them.

Site Configuration

The entries listed in the Directory Page Search List define the DirectoryIndex directive. The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.

For example, when a user requests the page http:// www.example.com/ this_directory/, they are going to get either the DirectoryIndex page if it exists, or a server-generated directory list. The server will try to find one of the files listed in the DirectoryIndex directive and will return the first one it finds. If it does not find any of these files and if Options Indexes is set for that directory, the server will generate and return a list, in HTML format, of the subdirectories and files in the directory.

Use the Error Code section to configure Apache HTTP Server to redirect the client to a local or external URL in the event of a problem or error. This option corresponds to the ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose Default to display the default short error message. Choose URL to redirect the client to an external URL and enter a complete URL including the http:// in the Location field. Choose File to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.

For example, to redirect a 404 Not Found error code to a webpage that you created in a file called 404.html, copy 404.html to DocumentRoot/errors/404.html. In this case, DocumentRoot is the Document Root directory that you have defined (the default is /var/www). Then, choose File as the Behavior for 404 - Not Found error code and enter /errors/404.html as the Location.

From the Default Error Page Footer menu, you can choose one of the following options:

 

Logging

By default, the server writes the transfer log to the file /var/log/httpd/access_log and the error log to the /var/log/httpd/error_log file.

The transfer log contains a list of all attempts to access the Web server. It records the IP address of the client that is attempting to connect, the date and time of the attempt, and the file on the Web server that it is trying to retrieve. Enter the name of the path and file in which to store this information. If the path and filename does not start with a slash (/), the path is relative to the server root directory as configured. This option corresponds to the TransferLog directive.

Logging

You can configure a custom log format by checking Use custom logging facilities and entering a custom log string in the Custom Log String field. This configures the LogFormat directive.

The error log contains a list of any server errors that occur. Enter the name of the path and file in which to store this information. If the path and filename does not start with a slash (/), the path is relative to the server root directory as configured. This option corresponds to the ErrorLog directive.

Use the Log Level menu to set how verbose the error messages in the error logs will be. It can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info or debug. This option corresponds to the LogLevel directive.

The value chosen with the Reverse DNS Lookup menu defines the HostnameLookups directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.

If you choose Reverse Lookup, your server will automatically resolve the IP address for each connection which requests a document from your Web server. Resolving the IP address means that your server will make one or more connections to the DNS in order to find out the hostname that corresponds to a particular IP address.

If you choose Double Reverse Lookup, your server will perform a double-reverse DNS. In other words, after a reverse lookup is performed, a forward lookup is performed on the result. At least one of the IP addresses in the forward lookup must match the address from the first reverse lookup.

Generally, you should leave this option set to No Reverse Lookup, because the DNS requests add a load to your server and may slow it down. If your server is busy, the effects of trying to perform these reverse lookups or double reverse lookups may be quite noticeable.

Reverse lookups and double reverse lookups are also an issue for the Internet as a whole. All of the individual connections made to look up each hostname add up. Therefore, for your own Web server's benefit, as well as for the Internet's benefit, you should leave this option set to No Reverse Lookup.

 

Environment Variables

Sometimes it is necessary to modify environment variables for CGI scripts or server-side include (SSI) pages. The Apache HTTP Server can use the mod_env module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.

Environment Variables

Use the Set for CGI Scripts section to set an environment variable that is passed to CGI scripts and SSI pages. For example, to set the environment variable MAXNUM to 50, click the Add button inside the Set for CGI Script and type MAXNUM in the Environment Variable text field and 50 in the Value to set text field. Click OK to add it to the list. The Set for CGI Scripts section configures the SetEnv directive.

Use the Pass to CGI Scripts section to pass the value of an environment variable when the server was first started to CGI scripts. To see this environment variable, type the command env at a shell prompt. Click the Add button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click OK to add it to the list. The

Pass to CGI Scripts

section configures the PassEnv directive.

If you want to remove an environment variable so that the value is not passed to CGI scripts and SSI pages, use the Unset for CGI Scripts section. Click Add in the Unset for CGI Scripts section, and enter the name of the environment variable to unset. Click OK to add it to the list. This corresponds to the UnsetEnv directive.

To edit any of these environment values, select it from the list and click the corresponding Edit button. To delete any entry from the list, select it and click the cooresponding Delete button.

To learn more about environment variables in Apache HTTP Server, refer to the following:

 http://httpd.apache.org/docs-2.0/env.html

 

Directories

Use the Directories page to configure options for specific directories. This corresponds to the <Directory> directive.

Directories

Click the Edit button in the top right-hand corner to configure the

Default Directory Options

for all directories that are not specified in the Directory list below it. The options that you choose are listed as the Options directive within the <Directory> directive. You can configure the following options:

To specify options for specific directories, click the Add button beside the Directory list box. Enter the directory to configure in the Directory text field at the bottom of the window. Select the options in the right-hand list, and configure the Order directive with the left-hand side options. The Order directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:

Directory Settings

If you check the Let .htaccess files override directory options, the configuration directives in the .htaccess file take precedence.

 

Saving Your Settings

If you do not want to save your Apache HTTP Server configuration settings, click the Cancel button in the bottom right corner of the HTTP Configuration Tool window. You will be prompted to confirm this decision. If you click Yes to confirm this choice, your settings will not be saved.

If you want to save your Apache HTTP Server configuration settings, click the OK button in the bottom right corner of the HTTP Configuration Tool window. A dialog window will appear. If you answer Yes, your settings will be saved in /etc/httpd/conf/httpd.conf. Remember that your original configuration file will be overwritten.

If this is the first time that you have used the HTTP Configuration Tool, you will see a dialog window warning you that the configuration file has been manually modified. If the HTTP Configuration Tool detects that the httpd.conf configuration file has been manually modified, it will save the manually modified file as /etc/httpd/conf/httpd.conf.bak.

After saving your settings, restart the httpd daemon with the command service httpd restart. You must be logged in as root to execute this command.

 

Server Settings

The Server tab allows you to configure basic server settings. The default settings for these options are appropriate for most situations.

 

Server Configuration

The Lock File value corresponds to the LockFile directive. This directive sets the path to the lockfile used when the server is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be stored on the local disk. It should be left to the default value unless the logs directory is located on an NFS share. If this is the case, the default value should be changed to a location on the local disk and to a directory that is readable only by root.

The PID File value corresponds to the PidFile directive. This directive sets the file in which the server records its process ID (pid). This file should only be readable by root. In most cases, it should be left to the default value.

The Core Dump Directory value corresponds to the CoreDumpDirectory directive. The Apache HTTP Server tries to switch to this directory before dumping core. The default value is the ServerRoot. However, if the user that the server runs as can not write to this directory, the core dump can not be written. Change this value to a directory writable by the user the server runs as, if you want to write the core dumps to disk for debugging purposes.

The User value corresponds to the User directive. It sets the userid used by the server to answer requests. This user's settings determine the server's access. Any files inaccessible to this user will also be inaccessible to your website's visitors. The default for User is apache.

The user should only have privileges so that it can access files which are supposed to be visible to the outside world. The user is also the owner of any CGI processes spawned by the server. The user should not be allowed to execute any code which is not intended to be in response to HTTP requests.

Unless you know exactly what you are doing, do not set the User directive to root. Using root as the User will create large security holes for your Web server.

The parent httpd process first runs as root during normal operations, but is then immediately handed off to the apache user. The server must start as root because it needs to bind to a port below 1024. Ports below 1024 are reserved for system use, so they can not be used by anyone but root. Once the server has attached itself to its port, however, it hands the process off to the apache user before it accepts any connection requests.

The Group value corresponds to the Group directive. The Group directive is similar to the User directive. Group sets the group under which the server will answer requests. The default group is also apache.

 

Performance Tuning

Click on the Performance Tuning tab to configure the maximum number of child server processes you want and to configure the Apache HTTP Server options for client connections. The default settings for these options are appropriate for most situations. Altering these settings may affect the overall performance of your Web server.

 

Performance Tuning

Set Max Number of Connections to the maximum number of simultaneous client requests that the server will handle. For each connection, a child httpd process is created. After this maximum number of processes is reached, no one else will be able to connect to the Web server until a child server process is freed. You can not set this value to higher than 256 without recompiling. This option corresponds to the MaxClients directive.

Connection Timeout defines, in seconds, the amount of time that your server will wait for receipts and transmissions during communications. Specifically,

Connection Timeout

defines how long your server will wait to receive a GET request, how long it will wait to receive TCP packets on a POST or PUT request and how long it will wait between ACKs responding to TCP packets. By default, Connection Timeout is set to 300 seconds, which is appropriate for most situations. This option corresponds to the TimeOut directive.

Set the Max requests per connection to the maximum number of requests allowed per persistent connection. The default value is 100, which should be appropriate for most situations. This option corresponds to the MaxRequestsPerChild directive.

If you check the Allow unlimited requests per connection option, the MaxKeepAliveRequests directive to 0, and unlimited requests are allowed.

If you uncheck the

Allow Persistent Connections

option, the KeepAlive directive is set to false. If you check it, the KeepAlive directive is set to true, and the KeepAliveTimeout directive is set to the number that is selected as the Timeout for next Connection value. This directive sets the number of seconds your server will wait for a subsequent request, after a request has been served, before it closes the connection. Once a request has been received, the Connection Timeout value applies instead.

Setting the Persistent Connections to a high value may cause a server to slow down, depending on how many users are trying to connect to it. The higher the number, the more server processes waiting for another connection from the last client that connected to it.

 

Virtual Hosts Settings

You can use the HTTP Configuration Tool to configure virtual hosts. Virtual hosts allow you to run different servers for different IP addresses, different host names, or different ports on the same machine. For example, you can run the website for http://www.example.com and http://www.anotherexample.com on the same Web server using virtual hosts. This option corresponds to the <VirtualHost> directive for the default virtual host and IP based virtual hosts. It corresponds to the <NameVirtualHost> directive for a name based virtual host.

The directives set for a virtual host only apply to that particular virtual host. If a directive is set server-wide using the Edit Default Settings button and not defined within the virtual host settings, the default setting is used. For example, you can define a

Webmaster email address

in the Main tab and not define individual email addresses for each virtual host.

HTTP Configuration Tool includes a default virtual host.

Virtual Hosts

http://httpd.apache.org/docs-2.0/vhosts/ and the Apache HTTP Server documentation on your machine provides more information about virtual hosts.

 

Adding and Editing a Virtual Host

To add a virtual host, click the

Virtual Hosts

tab and then click the Add button. You can also edit a virtual host by selecting it in the list and clicking the Edit button.

 

General Options

The General Options settings only apply to the virtual host that you are configuring. Set the name of the virtual host in the Virtual Host Name text area. This name is used by

HTTP Configuration Tool

to distinguish between virtual hosts.

Set the Document Root Directory value to the directory that contains the root document (such as index.html) for the virtual host. This option corresponds to the DocumentRoot directive within the <VirtualHost> directive. Before Red Hat Linux 7, the Apache HTTP Server provided with Red Hat Linux used /home/httpd/html as the DocumentRoot. In Red Hat Linux 9, however, the default DocumentRoot is /var/www.

The Webmaster email address corresponds to the ServerAdmin directive within the VirtualHost directive. This email address is used in the footer of error pages if you choose to show a footer with an email address on the error pages.

In the Host Information section, choose Default Virtual Host, IP based Virtual Host, or Name based Virtual Host.

Default Virtual Host

You should only configure one default virtual host (remember that there is one setup by default). The default virtual host settings are used when the requested IP address is not explicitly listed in another virtual host. If there is no default virtual host defined, the main server settings are used.

IP based Virtual Host

If you choose IP based Virtual Host, a window appears to configure the <VirtualHost> directive based on the IP address of the server. Specify this IP address in the IP address field. To specify more than one IP address, separate each IP address with spaces. To specify a port, use the syntax IP Address:Port. Use :* to configure all ports for the IP address. Specify the host name for the virtual host in the Server Host Name field.

Name based Virtual Host

If you choose Name based Virtual Host, a window appears to configure the NameVirtualHost directive based on the host name of the server. Specify the IP address in the IP address field. To specify more than one IP address, separate each IP address with spaces. To specify a port, use the syntax IP Address:Port. Use :* to configure all ports for the IP address. Specify the host name for the virtual host in the Server Host Name field. In the

Aliases

section, click Add to add a host name alias. Adding an alias here adds a ServerAlias directive within the NameVirtualHost directive.

 

SSL

You can not use name based virtual hosts with SSL, because the SSL handshake (when the browser accepts the secure Web server's certificate) occurs before the HTTP request which identifies the appropriate name based virtual host. If you want to use name-based virtual hosts, they will only work with your non-secure Web server.

SSL Support

If an Apache HTTP Server is not configured with SSL support, communications between an Apache HTTP Server and its clients are not encrypted. This is appropriate for websites without personal or confidential information. For example, an open source website that distributes open source software and documentation has no need for secure communications. However, an ecommerce website that requires credit card information should use the Apache SSL support to encrypt its communications. Enabling Apache SSL support enables the use of the mod_ssl security module. To enable it through HTTP Configuration Tool allow access through port 443 under the Main tab => Available Addresses. Then, select the virtual host name in the Virtual Hosts tab, click the Edit button, choose SSL from the left-hand menu, and check the Enable SSL Support option

The SSL Configuration section is pre-configured with the dummy digital certificate. The digital certificate provides authentication for your secure Web server and identifies the secure server to client Web browsers. You must purchase your own digital certificate. Do not use the dummy one provided in Red Hat Linux for your website.

 

Additional Virtual Host Options

The Site Configuration, Environment Variables, and Directories options for the virtual hosts are the same directives that you set when you clicked the Edit Default Settings button, except the options set here are for the individual virtual hosts that you are configuring.


 

Home