Using the tarfiles (which include source, documentation, binaries and example configuration files) NOTE: These instructions are intended for readers with a basic familiarity of Unix utilities and web server setup. If you are not familiar with these, please do not even bother to read further. INITIAL SETUP AND INSTALLATION ============================== 1) Do some initial setup on the system on which you will be installing the apache-ssl server. Basically, you create a directory for 'ssl', and a directory for 'https', and you create the user and group that will be associated with the apache-ssl server. We typically put the directories where they will not be affected by operating system updates and so on. We make the webserver run as the user 'www', but we make only the minimal number of files necessary owned by the user 'www'. We add the user 'www' to the group 'www', and make as few things writeable by group 'www' or user 'www' as possible. You can make the directories wherever you like, and use whatever user and group you like for the webserver. Here are the commmands we use in the MIT Athena environment: As root: # hesinfo www passwd >> /etc/passwd.local # hesinfo www group >> /etc/group.local then, edit /etc/group.local to add the user 'www' to group 'www' on next reboot, the passwd.local and group.local files will overwrite the passwd and group files; or you can copy them yourself also, verify that the /etc/athena/rc.conf file is set appropriately, as you probably want PUBLIC=false and AUTOUPDATE=false # mkdir /var/ssl # mkdir /var/https # chmod 755 /var/https # chmod 755 /var/ssl 2) Copy the tar files from the apache-ssl directory, putting the 'ssl' one in the directory you created, and the 'https' one in the directory you created. Be sure you get the appropriate tarfiles for the system you are using, as they contain platform-specific files. Here are the commands used on an Athena 8.3 Sun to get the "rev4" version of apache-ssl: # cd /var/ssl # cp -p /mit/apache-ssl/rev4/arch/sun4x_56/tar/var.ssl.tar* . # cd /var/https # cp -p /mit/apache-ssl/rev4/arch/sun4x_56/tar/var.https.tar* . 3) Extract the contents of the tarfiles. If the filenames end with ".gz", run 'gunzip' first; if they end with ".Z", run 'uncompress' first. When the files are in tar format, use the following commands to extract the contents: # cd /var/ssl # tar xvf var.ssl.tar # cd /var/https # tar xvf var.https.tar you can delete the tar files after the contents have been extracted # rm /var/ssl/var.ssl.tar # rm /var/https/var.https.tar At this point you may wish to reboot your system just to verify that everything still works as it used to. Up to this point, you've done nothing but add some entries in the passwd and group files, and put some files in the two new directories you created, but it is prudent to make sure the system is in good shape before proceeding. HTTP SERVER CONFIGURATION ========================= There are sample httpsd configuration files in /var/https/conf which contain explanatory comments. Basically, you can choose to run one or more daemons, use ssl or not, require certificates or not, and so on. These configuration files are intended to illustrate basic configuration ideas. If you are planning to run a production webserver, you should be sure to use a configuration file that is appropriate for your needs. If you want to use one of the configuration files provided in /var/https/conf, edit it, searching for "X" and "Y" and replacing them as follows: - change X to your server name in X.pem and X.mit.edu (or S.pem) - change Y to email address of person responsible Notes: 1. httpsd.nossl.conf shows how to run the webserver without ssl. 2. httpsd.conf.2srvrs shows how to run two servers, one that requires SSL certificates on port 443 (default https port) and one that does not on port 80 (default http port). They are configured to use a different directories for logs (/var/http/logs - which you have to mkdir). Similarly, httpsd.conf.3srvrs shows how to run an SSL server that requires certificates, an SSL server that doesn't require certificates, and a non-ssl server. 3. httpsd.conf.fcgi shows how to run fcgi-bin programs built using fcgi-dev-kit. For running Fastcgi you need to choose bin/httpsd.ssl+fcgi 4. httpsd.conf.jserv shows how to run a simple java servlet. To run java servlets you need to choose bin/httpsd+ssl+java CERTIFICATION ============= To get a key and a matching certificate for the machine: a. Follow the instructions in README.certificate b. Your 'machine'.pem should be stored in /var/ssl/certs/. For example, on the host 'lava-lamp.mit.edu': lava-lamp.mit.edu# ls -l /var/ssl/certs/lava-lamp.pem -rw------- 1 root www 2950 Aug 7 14:52 /var/ssl/certs/lava-lamp.pem c. Your https-key.pem should be stored in /var/ssl/private/. For example, on the host 'lava-lamp.mit.edu': lava-lamp.mit.edu# ls -l /var/ssl/private/https-key.pem -rw------- 1 root other 891 Aug 6 16:40 /var/ssl/private/https-key.pem VERIFY ====== 1. You can get a temporary test key and certificate for checking your setup, by running /var/ssl/util/getself and using /var/https/conf/httpd.conf.test for starting httpsd. athena% cd /var/ssl/util athena% ./getself Using configuration from /var/ssl/lib/ssleay.cnf unable to load 'random state' What this means is that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in. Generating a 1024 bit RSA private key ...............................................+++++ .....+++++ writing new private key to '/var/ssl/private/test.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Massachusetts]: Locality Name (eg, city) [Cambridge]: Organization Name (eg, company) [Massachusetts Institute of Technology]: Organizational Unit Name (eg, section) [Information Systems]: Common Name (eg, YOUR name) []:vegematic.mit.edu Email Address []: athena% cd .. athena% ./util/checkcert test read RSA private key Cert test.cert matches key test.key athena% 2. If you're running an ssl server, check it by aiming a browser running on another system at: https://your-webserver.what.ever/cgi-bin/printenv.cgi If you're running a non-ssl server, check it by aiming a browser running on another system at: http://your-webserver.what.ever/cgi-bin/printenv.cgi 3. To check fcgi, use the httpd.fcgi.conf file and aim a browser at: https://your-webserver.what.ever/fcgi-bin/echo CLEANUP AND SECURE ================== You can delete the tarfiles you used in the installation, unless you want to save them for archival purposes. You should remove all the scripts that came in cgi-bin or fcgi-bin directories unless you know what they do and want them there. They may be used in exploits against the system. Check that the /var/https/conf/httpd.conf file you're using is appropriate for your needs. If you're not familiar with host-based unix security, consult a good book on the subject. You may want to write a script to start up the http server(s) automatically at boottime. Check the MIT 'apache-ssl' locker from time to time for news about MIT's apache-ssl webserver. Last revised: Tue Sep 8 12:24:20 EDT 1998