Apache + SSL trouble...

timod

Hello all,

Anybody have any experience compiling apache with SSL patched in, create certificates and then getting the whole thing to work?

Normal Apache builds fine from source, and works, so my compiler and stuff seems to be ok.

There's no error message in general, just can't get the server to start.

The docs are pathetic and google isn't giving me much..

Anybody know of a good site with an idiots guide?
This is kinda driving me mad.

Cheers,

Tim

P.S. meant to say: SuSE 5.2 (it's an old box) with the latest versions downloaded fresh from http://www.openssl.org/ (openssl-0.9.6c.tar.gz)
http://www.apache-ssl.org/ (apache_1.3.22+ssl_1.45)
http://www.apache.org/ (apache_1.3.22)

sisob

never done it myself but there is this

http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO.html

dahamsta

Why Apache SSL Tim? Just curious is all...

adam

timod

Thanks for the link...

looks good. (but long!)

And why Apache+SSL: 4th Year college project.

I'm building a web-based Sys Admin tool. Kinda like webmin or bigbrother, but there's no client version.

Uses expect scripts (http://expect.nist.gov/) from a central server to control a load of other machines, all with a nice web gui.

As it will be using root password to log onto these systems, it might be an idea to wrap the whole thing up with SSL

If you haven't played around with expect, have a go, it's pretty cool.

BTW, if anybody want's to suggest an alternative way of securing this thing, feel free...

P.S. it doesn't work yet, but I'll let y'all know when it does

jd

Originally posted by timod
Thanks for the link...

As it will be using root password to log onto these systems, it might be an idea to wrap the whole thing up with SSL

and ssh too-between the systems..

timod

Naturally...

SSH is a good deal easier than SSL

Here's one I made earlier..

jd

Originally posted by timod
Naturally...

SSH is a good deal easier than SSL

of course
more for the benefit of anybody else following the thread:)
jd

timod

Well after much more tears, I've said bye bye to Apache, and I now have a cool lightweight perl webserver up and running, using the SSLeay.pm module along with the openssl package.

I now have a https server up and running!

I basically stole the webserver that Webmin (http://www.webmin.com/webmin) uses, (miniserv.pl) and modified it to suit me. No dodgy configuration files. Another benefit is that I can leave my Apache install running quite happily on port 80.

It's not under GPL, the licencse is much easier than that...

"Redistribution and use in source and binary forms, with or without
modification, are permitted"
...with a few obvious conditions of course.

This server was a dream to get working compared to Apache.

moist

Originally posted by dahamsta
Why Apache SSL Tim? Just curious is all...

I believe adams point was that apache-ssl is rather tripe.
I realized this after a day fekking around with it,
thinking "Dang! This was a lot easier the last time..."
When I rememberd that I should be using mod-ssl which is _far_ more straightforward.

Granted you have found an alternative, however if you feel so inclined
the docs for the current version are at http://www.modssl.org/docs/2.8/

<edit> A few points on your later questions...</edit>

As for securing your system, these central management things tend to be tricky.
A vpn might be of benefit.
Also depending on what sort of things this management interface will be able to do
it might be better/easier to write SUID wrappers for each of the few things that
you want to be able to controll.
Then have a user in its own group (the same group that owns these wrappers, and
one executable by that group, i.e. swx--x---)
Then set up that user with RSA keys (probably with empty passphrases or using ssh-agent
which you have to enter the passphrase in the webserver, and it times it out
after a certain ammount of time ) and using the ~/.ssh/authorized_keys
to say that only connections from this host with this key can run this program.

Something like...
from="a.b.c.d",command="/bin/restart_apache",no-pty,no-X11-forwarding,no-agent-forwarding 1024 35 1234....KEY_STUFF...789 user@host.com
from="a.b.c.d",command="/bin/restart_mysql",no-pty,no-X11-forwarding,no-agent-forwarding 1024 35 1234....KEY_STUFF...789 user@host.com

Then your web app executes ssh with... "ssh fred@w.x.y.z /bin/restart_apache"

Still not perfect, but better than...
o Allowing remote root logins in the first place
o Having to store the password in the webserver scripts somewhere.
o Allowing this to run anything on the system.


Granted there have been issues with ssh and the key management in the past

dahamsta

I believe adams point was that apache-ssl is rather tripe.

I would never dare to say such a thing!

What I would say is that mod_ssl is the defacto standard SSL library for working with Apache at this stage. Of course, *nix developers usually don't hold much with defacto standards, but I've always found mod_ssl easier to work with.

adam

MiCr0

i installed apache with modssl the other day
it is a PITA alright
if what probs are you having?

did you try "apachectl startssl" to get it to start?

timod

Thanks all for the replys

I think I'm going to leave it with the custom server. It is working after all

Moist, good points. Thanks.

Its a college project, so half the bloody marks are going for docs! feck.

Tim