Securing Apache2
Enable the default ssl conf.. first easy steps, we'll go deeper later.
ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.load ./ssl.load
ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.conf ./ssl.conf
ocm@achtung:/etc/apache2/mods-enabled$ sudo service apache2 restart
* Restarting web server apache2 .
HAHA not enough.. we have the following error at error.log:
[Thu Feb 23 18:26:57 2012] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Thu Feb 23 18:28:19 2012] [error] [client 192.168.56.1] Invalid URI in request get index
We enabled listening at secure port but not told our server to encrypt data… it happens, so:
Enable ssl site:
root@achtung:/etc/apache2/sites-enabled# ln -sf ../sites-available/default-ssl ./default-ssl
Create :
rroot@achtung:/etc/apache2# openssl req -new -x509 -nodes -out achtung.crt -keyout achtung.key
Generating a 1024 bit RSA private key
....++++++
.........................................................................++++++
writing new private key to 'achtung.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:clowncomputing.com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
root@achtung:/etc/apache2#
Edit the conf file in order to point the new cert file(s):
root@achtung:/etc/apache2# vi sites-enabled/default-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/achtung.pem
SSLCertificateKeyFile /etc/apache2/achtung.crt
Bind to service or only desired ports:
look for the httpd.conf or ports.conf wich helds your "Listen" attribute, and add as many lines as you need to activate listening:
ocm@achtung:/etc/apache2$ vi ports.conf
NameVirtualHost *:80
#Listen 80
Listen localhost:80
Listen achtung.box:80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
#Listen 443
Listen localhost:443
Listen achtung.box:443
</IfModule>
<IfModule mod_gnutls.c>
#Listen 443
Listen localhost:443
Listen achtung.box:443
</IfModule>
Restart and check:
ocm@achtung:/etc/apache2$ sudo netstat -tnlp | grep apache
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.56.101:80 0.0.0.0:* LISTEN 7763/apache2
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 7763/apache2
tcp 0 0 192.168.56.101:443 0.0.0.0:* LISTEN 7763/apache2
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 7763/apache2
More secured than before, but not enough!
Other improvement, certificate creating:
apache cert creation
page revision: 7, last edited: 24 Feb 2012 16:40