by Dale Coddington
The purpose of this paper is to describe, in detail, how to install and configure the Apache Web Server with SSL (Secure Socket Layer) support. Today more than ever, sensitive data can no longer be trusted to be sent across the Internet in plain text. SSL adds a layer of encryption to data being sent across an http stream ensuring the that data is transmitted with a large degree of protection from prying eyes. SSL is not the be all and end all of securing data; SSL only protects the data in transit. Once the data has reached its destination it no longer benefits from SSL's encrypted tunnel and could fall prey to prying eyes. This is only too common an occurrence in today's world of e-commerce.
There are commercial packages available that combine the features of Apache with SSL which may also include additional features, including support. This paper will focus on implementing a system that is just as secure as the commercial counter-parts, with no additional cost involved. Using commercial packages is just no fun when you can build it yourself.
When initially installing your system and creating partitions, create an extra partition called /chroot to run Apache in. How big this partition will be is entirely up to the reader. For a basic web server 40 megs will suffice. We will discuss the purpose of this /chroot partition later.
If you are using these instructions on a system that has already had Apache installed you may choose to add an extra disk to create the /chroot partition on, or elect to not use a /chroot partition, creating the /chroot directory on the root filesystem, or in some other location.
It is also assumed that the reader has already taken measures to the secure the machine they will be installing Apache on. This includes, but is not limited to, removing all unnecessary SUIDS, upgrading daemons, and disabling non-essential system services. It should go without saying that if you are setting up a machine to serve web pages then that is the only service that should be available on that particular machine. It is also assumed the machine is properly running TCP/IP and has an IP address assigned. Setting up an SSL enabled web server for localhost is rather useless.
Unfortunately, Apache does not come with SSL as an included feature, so we must first gather all the pieces of software that will allow us to be able to provide encrypted web based transactions. The following pieces of software will be needed to complete the installation:
Modules are 'plug-in software packages that can give Apache extra functionality. These may include mod_perl as discussed above or another popular package, mod_php which adds the popular PHP scripting language to Apache. Any other modules you wish to use will need to be obtained and activated as they normally are.
Before we actually begin the installation process we must first decide what kind of environment we wish to set the server up in. For the paranoid the server and software may be installed in a chroot'd environment. Chroot changes the root directory and executes a program there. This provides a "contained" environment, outside of your regular file structure, for the server to run. That way if an intruder was to somehow break a cgi script or in some other way gain system access via the web server they will be in a contained or "jailed" environment without access to the entire file system. From a security standpoint this would be desirable but from a system administration standpoint it can be bothersome. It will be necessary to install required libraries, Perl, and any other utilities your web server may need to function in the chroot'd environment. For the sake of security we will be installing the web server in a chroot'd environment. First we will install Apache in the normal fashion then we will transfer it to the /chroot partition that we created at installation time. The installation instructions are provided in a checklist format to facilitate your installation.
#gzip -d -c apache_1.3.11.tar.gz | tar xvf - #gzip -d -c mod_ssl-2.5.0-1.3.11.tar.gz | tar xvf - #gzip -d -c openssl-0.9.4.tar.gz | tar xvf - #gzip -d -c mod_perl-1.21.tar.gz | tar xvf -
#mkdir rsaref #cd rsaref #gzip -d -c ../rsaref20.tar.Z | tar xvf - #tar xvf rsaref.tar #cp -rp install/unix temp #cd temp #make #mv rsaref.a librsaref.a #cd ../../
#cd openssl-0.9.4 #perl util/perlpath.pl /usr/bin/perl (Path to Perl) #./config -L`pwd`/../rsaref/temp/ #make #make test #cd ..
#cd mod_perl-1.21 #perl Makefile.PL APACHE_PREFIX=/usr/local/apache \
#cd mod_ssl-2.5.0-1.3.11 #./configure --with-apache=../apache_1.3.11 \
#cd apache_1.3.11
Before we actually build Apache, lets add another layer of security. Edit the following file to obscure the version number and name of the server we are using. This will thwart reconnaissance from attackers or otherwise nosey individuals.
#<your favorite text editor> src/include/httpd.h
define SERVER_BASEVERSION "Apache/1.3.11"
#make
#make certificate
#make install
/usr/local/apache/bin/apachectl start
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl
We will now examine the main Apache configuration files. One thing to keep in mind is changes made to the configuration files will not take effect until the web server is restarted. The configuration files are located in /usr/local/apache/conf
/usr/local/apache/conf
This is Apache's main configuration file. You can set such variables as number of httpd processes to start initially, number of maximum client connections, ports to listen on, and more. This file is heavily commented and thus very easy to make changes to.
This configuration file is the default file for the AccessConfig directive in httpd.conf. To simplify things it is recommended you place all of your server directives into the http.conf file and leave this one empty.
This configuration file is the default file for the ResourceConfig directive in httpd.conf. Once again this file can be left empty and all directives can be placed in the httpd.conf configuration file.
#/usr/local/apache/bin/apachectl restart
We will now begin the process of preparing our chroot environment and moving the Apache installation and all required files into it. This part of the installation is optional. As stated earlier it is better to add an extra layer of protection and chroot the web server.
#mkdir /chroot
#mkdir /chroot/dev #mkdir /chroot/lib #mkdir /chroot/etc #mkdir /chroot/bin #mkdir /chroot/usr #mkdir /chroot/usr/local
#mknod -m 666 /chroot/dev/null c 1 3
#cp -rp /usr/local/apache/ /chroot/usr/local
#cp /bin/sh /chroot/bin
#ldd /usr/local/apache/bin/httpd
#cp /lib/libm.* /chroot/lib/ #cp /lib/libgdbm.* /chroot/lib #cp /lib/libdb.* /chroot/lib #cp /lib/libdl.* /chroot/lib #cp /lib/libc.* /chroot/lib
#cp /lib/libnss* /chroot/lib
#cp /etc/passwd /chroot/etc #cp /etc/shadow /chroot/etc #cp /etc/group /chroot/etc #cp /etc/resolv.conf /chroot/etc #cp /etc/hosts /chroot/etc #cp /etc/localtime /chroot/etc #cp /etc/localtime /chroot/etc #cp /etc/ld.so.* /chroot/etc
#chroot /chroot /usr/local/apache/bin/apachectl start
#chroot /chroot /usr/local/apache/bin/apachectl stop
Everything should be up and running at this point. If not, make sure you have all the required libraries in /chroot/lib. If that doesn't solve the problem you may want to try invoking httpd with strace. The output from strace may be useful in determining if you are missing any required libraries or binaries.
Now it's time to do a little post-install cleanup and tightening down. By default apache runs as user nobody and group nobody. While this may seem trivial, if you have other software running with that same user and group and apache is compromised, the attacker may have access to those programs as well.
#chmod 600 /chroot/etc/passwd shadow group
Now we need to modify Apache's configuration to reflect these changes. Open /chroot/usr/local/apache/conf/httpd.conf with a text editor. Look for the lines with the user and group to run Apache as (approx. line 263) and change them to httpd/httpd.
Finally if all is in working order we can delete the original Apache installation we did and remove the other source files we used to compile Apache
#rm -rf /usr/local/apache #rm -rf /usr/local/mod_ssl-2.5.0-1.3.11/ #rm -rf /usr/local/mod_perl-1.21/ #rm -rf /usr/local/openssl-0.9.4/ #rm -rf /usr/local/rsaref
echo "Starting Apache-SSL" /usr/sbin/chroot/apache/bin/apachectl startssl
If all goes well you are now running Apache with SSL support in a chroot'd jail for extra security. These directions are for a simple web server; the more modules you add, the more tweaking will be necessary. One thing to keep in mind is it is a good idea to only keep essential binaries in the chroot jail. SUID binaries in the chroot should also be avoided at all cost.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.