NOTE: These instructions are intended for readers with a basic familiarity of Unix utilities and web server setup. If you are not familiar with these, please do not even bother to read further.
INITIAL SETUP AND INSTALLATION
==============================
As root:
# hesinfo www passwd >> /etc/passwd.local
# hesinfo www group >> /etc/group.local
then, edit /etc/group.local to add the user 'www' to group 'www'
on next reboot, the passwd.local and group.local files will overwrite
the passwd and group files; or you can copy them yourself
also, verify that the /etc/athena/rc.conf file is set appropriately,
as you probably want PUBLIC=false and AUTOUPDATE=false
# mkdir /var/ssl
# mkdir /var/https
# chmod 755 /var/https
# chmod 755 /var/ssl
QUICK TEST THAT THE INSTALLATION IS SUCCESSFUL
==============================================
Now you should be able to access your Webserver at the URL :
http://"server name".mit.edu/
cd /var/ssl/util
./getself
(for this to succeed you need to have a random seed in the $HOME directory
$HOME/.rnd containing at least 128 bytes of random data;
you also need to have symlinks from /usr/local/ssl to /var/ssl)
when you are prompted for information, answer:
Country Name (2 letter code) [US]:
State or Province Name (full name) [Massachusetts]:
Locality Name (eg, city) [Cambridge]:
Organization Name (eg, company) [Massachusetts Institute of Technology]:
Organizational Unit Name (eg, section) [Information Systems]:
Common Name (eg, YOUR name) []:"name of the server".mit.edu
Email Address []:
sh /var/https/bin/httpsdctl start
Now you should be able to access your Webserver at the URL :
https://"server name".mit.edu/
HTTP SERVER CONFIGURATION
=========================
There are sample httpsd configuration files in /var/https/conf which contain
explanatory comments. Basically, you can choose to run one or more daemons,
use ssl or not, require certificates or not, and so on. These configuration
files are intended to illustrate basic configuration ideas. If you are planning
to run a production webserver, you should be sure to use a configuration
file that is appropriate for your needs.
CERTIFICATION
=============
To get a key and a matching certificate for the machine: a. Follow the instructions in the README.certificate b. Your 'machine'.pem should be stored in /var/ssl/certs/. For example, on the host 'lava-lamp.mit.edu': lava-lamp.mit.edu# ls -l /var/ssl/certs/lava-lamp.pem -rw------- 1 root www 2950 Aug 7 14:52 /var/ssl/certs/lava-lamp.pem c. Your https-key.pem should be stored in /var/ssl/private/. For example, on the host 'lava-lamp.mit.edu': lava-lamp.mit.edu# ls -l /var/ssl/private/https-key.pem -rw------- 1 root other 891 Aug 6 16:40 /var/ssl/private/https-key.pem
VERIFY
======
CLEANUP AND SECURE
==================
You can delete the tarfiles you used in the installation, unless you want
to save them for archival purposes.
You should remove all the scripts that came in cgi-bin or fcgi-bin
directories unless you know what they do and want them there. They may be used
in exploits against the system.
Check that the /var/https/conf/httpd.conf file you're using is appropriate
for your needs.
If you're not familiar with host-based unix security, consult a good book
on the subject.
You may want to write a script to start up the http server(s) automatically
at boottime.
Check the MIT 'apache-ssl' locker from time to time for news about
MIT's apache-ssl webserver.
Last revised: Thu Jan 31 12:24:20 EDT 2002