Configuring PHP & ApacheSSL
Creating The PHP Configuration File
To use the default configuration for PHP, copy the default configuration file from the PHP source directory to /usr/local/lib. In your home directory,
cd php-3.0.12Become root with su or sudo, then type
cp php3.ini-dist /usr/local/lib/php3.iniIf you ever want to change the configuration for PHP, edit the php3.ini file in /usr/local/lib.
Creating The Default Certificate
The next step is to create the default certificate for ApacheSSL. To do this, change to the Apache source directory, then the src directory inside the source directory. In src, make the certificate, then copy it to the default location for certificates.
cd ~During the process of creating the certificate, you will be prompted to answer several questions. After the certificate has been created in SSLconf/conf, copy it to the /opt/apachessl/conf directory.
cd apache_1.3.9
cd src
make certificate
cd ~Become root with su or sudo
cd apache_1.3.9
cd SSLconf
cd conf
cp httpsd.pem /opt/apachessl/conf/default.pemDeciding How To Layout Secured Areas
From this point, I'm going to assume that you want to have both SSL and non-SSL portions of a website running off of the same server. The easiest way to do this is through virtual hosts, a nifty option that Apache provides. With virtual hosts you can re-direct users to a certain part of a web site, or even an entirely different web site located on the same physical computer. For example, I can set green.dhs.org and yellow.dhs.org to point to the same IP address. Using virtual hosts I can have Apache present a user with either a website about yellow stuff or a website about green stuff, depending on what they typed into their browser or the link they clicked on.
Apache's virtual hosts also let you split servers of the same name off onto different ports, which is what you're probably going to want to do. For our example, we'll use hrothgar.dhs.org (Hrothgar was a king in Beowulf who was famous for having built the largest meade hall and having the biggest parties.)
In the case of hrothgar, we want to have
a standard, non-encrypted web server running on port 80 that users can
reach by typing http://hrothgar.dhs.org into their browser, and an SSL-secured
webserver running on port 443 (the standard) that users can reach by typing
https://hrothgar.dhs.org into their browsers. Carefully notice that
the secured part of the site uses https rather than http - modern web browsers
know that means to look on port 443 for the web server.
Creating Certificates For Each Secure Virtual Host
Each secure virtual host has to have its own certificate and key files. To create SSL certificates and their keys, use the following series of OpenSSL commands in your home directory:
openssl req -new > new.cert.csrWhen you're prompted for the pass phrase, put in anything you want - we're going to strip it out in the next step. Enter the country name, city, and state as prompted. When you are prompted for the "Challenge Password", just leave it empty and press Enter. For the "Optional Company Name", enter the host name the certificate is for (hrothgar.dhs.org in our case.)
openssl rsa -in privkey.pem -out new.cert.keyWhen you're prompted for the pass phrase, put in exactly the same phrase or word as you did above.
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365Set the days parameter to the number of days you wish the certificate to be valid. After the certificate "expires", you just have to create a new one. I normally set mine to one year, as above. If you really don't want to be bothered with it, set the number to something absurd like 10 years.
There now exists in your home directory two files named new.cert.cert and new.cert.key. These are the SSL certificate and key files that need to be copied to /opt/apachessl/conf. In the process, I normally rename them to something reminiscent of the hostname they're for.
Become root using su or sudo, and type
cp new.cert.cert /opt/apachessl/conf/hrothgar.cert
cp new.cert.key /opt/apachessl/conf/hrothgar.key
Configuring
ApacheSSL Through httpsd.conf
The Apache web server is primarily configured
through the httpsd.conf file, located in /opt/apachessl/conf.
In this step we edit the file, adding the lines neccesary to enable PHP,
enable SSL, and set up our virtual hosts. To do this, become root
using su or sudo
and open /opt/apachessl/conf/httpsd.conf
in your text editor of choice.
cd /opt/apachessl/confThe first field of the configuration file we want to change is the Port directive. We want the base server to listen to port 80, so we have
vi httpsd.conf
Port 80
We also want to listen to port 443 for incoming SSL connections, so we have to add a Listen directive to tell Apache to attach itself to port 443 as well:
Listen 443
Next, we want to tell Apache to load the neccesary certificates and cacheing programs for SSL. Underneath the DocumentRoot directive, type the following lines:
SSLCACertificateFile /opt/apachessl/conf/default.pem
SSLCertificateFile /opt/apachessl/conf/default.pem
SSLCacheServerPath /opt/apachessl/bin/gcache
SSLCacheServerPort 12345
SSLSessionCacheTimeout 3600
Now we want to add entries for each of our virtual hosts. By convention, virtual host entries are placed at the very bottom of the httpsd.conf file. Define the IP address and port numbers that virtual hosts reside on with the NameVirtualHost directive like
NameVirtualHost 161.6.17.6:80
NameVirtualHost 161.6.17.6:443
An example entry for a non-SSL secured virtual host might look like:
<VirtualHost 161.6.17.6>
SSLDisable
DocumentRoot /opt/apachessl/htdocs/
ScriptAlias /cgi-bin/ /opt/apachessl/cgi-bin/
ServerName hrothgar.dhs.org
ErrorLog /opt/apachessl/logs/hrothgar_error
TransferLog /opt/apachessl/logs/hrothgar_access
</VirtualHost>
For an SSL secured host, an entry might look like:
<VirtualHost 161.6.17.6:443>
DocumentRoot /opt/apachessl/secure/htdocs
ScriptAlias /cgi-bin/ /opt/apachessl/secure/cgi-bin/
ServerName hrothgar.dhs.org
ErrorLog /opt/apachessl/logs/hrothgar_ssl_error
TransferLog /opt/apachessl/logs/hrothgar_ssl_access
SSLVerifyClient 0
SSLFakeBasicAuth
SSLCertificateFile /opt/apachessl/conf/hrothgar.cert
SSLCertificateKeyFile /opt/apachessl/conf/hrothgar.key
</VirtualHost>
Finally, we want to enable support for PHP. Our httpsd.conf file already contains the neccesary entry, it's just commented out. Find the entries
#AddType application/x-httpd-php3 .php3
#AddType application/x-httpd-php3-source
.phps
and remove the pound signs in front of them to uncomment them.
Save the edited version of the httpsd.conf
file.
Starting ApacheSSL For The First Time
Everything is installed and configured - it's time to light the fires and kick the tires! ApacheSSL is started with the httpsdctl utility, located in /opt/apachessl/bin.
cd /opt/apachessl/binBecome root with su or sudo,
./httpsdctl startApacheSSL should start up. Verify that both the secure and unsecure portions are working properly by starting a web browser and connecting to both http://hostname and https://hostname. Internet Explorer and Netscape will tosss an "error" dialog box on the screen when you connect to the secured portion of your site. The reason is that both browsers only recognize by default certificates from major Certificate Authorities, such as VeriSign and Thawte. You can shell out a few hundred bucks a year for one of these certificates, or you can just click the "OK" button on the dialog box and it'll never reappear on that particular browser. It's a tradeoff - you and your website visitors can live with the slightly annoying dialog, or you can pay a couple hundred bucks to make it go away. Your site is still SSL secured, but you might have to work a little to convince your site users that it is since the dialog implies that it might not be. And who says Microsoft has the only monopoly going?
If you receive an error from httpsdctl on startup, go back and make sure that you didn't accidentally mis-type anything in the configuration files. If you're not real sure what went wrong, check the error logs in /opt/apachessl/logs for hints - they're usually pretty helpful.