Wednesday, October 16, 2013

Apache SSL

HTTPS Configuration

HTTPS load balancing requires an SSL certificate and the associated key pair.  This page describes how to set it up .
Note that in https offload pools client-side traffic uses https and server-side traffic uses http. For additional information on https offload pools, please check Load Balancing Pool Types page. 
Note also that pool type can't be changed from http to https by just changing its port value via manage-lb-pool modify command.  You have to create a new pool with the type specified as https (refer to manage-lb-pool man page for command options details).

1. Start an Instance

Reserve an available server and launch an instance as usual via manage-server reserve and manage-instance launch commands (see manage-server and manage-instance wiki man pages).  When the instance status has changed from "starting" to "running," log in to the instance in a usual way:
$ ssh -i key.pem root@8.19.73.92
(It's supposed here that you use key.pem as your private key file to login to your instances).

2. Install and Configure Your Web Server

Installing Apache (package name is "httpd"):
[root@newinstance ~]# yum install httpd
Make Apache start automatically on reboot:
[root@newinstance ~]# chkconfig httpd on
[root@newinstance ~]# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
[root@newinstance ~]# /sbin/service httpd status
httpd (pid 4051 4050 4049 4048 4047 4046 4045 4044 4042) is running...
Let's create a dummy web page on the server to check that our installation works:
[root@newinstance ~]# echo "Hello World, this is instance one" > /var/www/html/index.html
[root@newinstance ~]# curl http://localhost/index.html
Hello World, this is instance one
Now installing SSL module for Apache (mod_ssl):
[root@newinstance ~]# yum install mod_ssl

3. Configure SSL Using Self-signed Certificate

(For a certificate signed by a certificate authority, see section 4. Configure SSL Using Authorized Certificate and Certificate Chains below.)
We have to alter the SSL configuration by editing /etc/httpd/conf.d/ssl.conf file (installed with mod_ssl module) to make the web server aware of the secure certificate. 
We also need to generate a Certificate Authority (CA) key pair.
Here are basic steps we should perform to create a self-signed certificate:
1. Creating RSA key and certificate request:
[root@newinstance ~]# openssl req -new > cert.csr
After setting the passphrase and answering to several questions, we got two files – cert.csr privkey.pem
2. Removing passphrase from the key (need to enter passphrase set on step 1.) 
[root@newinstance ~]# openssl rsa -in privkey.pem -out server.key
3. Converting request into a signed certificate:
[root@newinstance ~]# openssl x509 -in cert.csr -out server.crt -req -signkey server.key -days 1825
(Use whatever number of days you need.)
4. Now we have a private key. Let's set the correct permissions for it:
[root@newinstance ~]# /bin/chmod 600 server.key
5. Moving certificates to the place they belong:
[root@ ~]# mv server.crt /etc/pki/tls/certs/
[root@002 ~]# mv userkey.pem /etc/pki/tls/private/
Configuring the basics in ssl.conf:
[root@newinstance ~]# vi /etc/httpd/conf.d/ssl.conf
The path and filename /etc/httpd/conf.d/ssl.conf are correct for CentOS5.
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 #no SSL v. 2 by default
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
</VirtualHost>
Starting web server:
[root@newinstance ~]# /sbin/service httpd restart
Starting httpd:                                            [  OK  ]
Next we need temporarily open port 443 to our instance via manage-vlan tool (check How to Set Firewall Rules for details).
Let's query instance via port 443 directly (no load balancing yet).
[root@newinstance ~]# curl -k https://localhost
Using -k option to let curl perform an "insecure" SSL connection using our self-signed certificate.

4. Configure SSL Using Authorized Certificate and Certificate Chains

This is not much different from the previous step except we already have a signed certificate (server.crt), key (server.key), and chain certificate (intermediate_bundle.crt) issued by some Certification Authority.
Let's check if passphrase is removed from the key file (the AppNexus API does not currently support passphrase encrypted private keys):
[root@newinstance ~]# openssl rsa -noout -text -in server.key
If the key was created with a passphrase, prompt to enter it will appear.  Then removing the passphrase as follows:
[root@newinstance ~]# openssl rsa < server.key > server_no_pass.key
Entering existing passphrase when prompted.  Now we got new key file without a passphrase.  The original key file remained unchanged.
Setting permissions:
[root@newinstance ~]# chmod 600 server_no_pass.key
Movinging certificates and key to the right place:
[root@newinstance ~]# mv  server.crt  intermediate_bundle.crt /etc/pki/tls/certs/
[root@newinstance ~]# mv  server_no_pass.key root@8.19.73.92:/etc/pki/tls/private/
Configure the basics in ssl.conf on your instance:
[root@newinstance ~]# vi /etc/httpd/conf.d/ssl.conf
(The path and filename /etc/httpd/conf.d/ssl.conf are correct for CentOS 5.)
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 #no SSL v. 2 by default
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server_no_pass.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate_bundle.crt
</VirtualHost>
Starting web server:
[root@newinstance ~]# /sbin/service httpd restart
Starting httpd:                                            [  OK  ]

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)