Thursday, January 14, 2010

How to implement SSL on Apache 2.0

Blog Has Moved

Link to the same post in the new blog: How to implement SSL on Apache 2.0

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase
1. Login to the server using Root account.
2. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
3. Run the command bellow to install OpenSSL packages:
pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
4. Create folder for the SSL certificate files:
mkdir -p /etc/apache2/ssl.crt
5. Create folder for the SSL private key:
mkdir -p /etc/apache2/ssl.key
6. Run the command bellow to generate a key pair:
/usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
Specify a complex pass phrase for the private key (and document it)
7. Change the permissions on the private key file:
chmod 600 /etc/apache2/ssl.key/server.key
8. Run the command bellow to generate the CSR:
/usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
9. Send the file /tmp/apache.csr to a Certificate Authority server.
10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
11. Copy the file "server.crt" using SCP into /etc/apache2/ssl.crt/
12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
13. Copy the file "ca-bundle.crt" using SCP into /etc/apache2/ssl.crt/
14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
From:
SSLSessionCache dbm:/var/run/apache2/ssl_scache
To:
SSLSessionCache dbm:/var/ apache2/ssl_scache

From:
SSLMutex file:/var/run/apache2/ssl_mutex
To:
SSLMutex file:/var/apache2/ssl_mutex

From:
ServerName 127.0.0.1:443
To:
ServerName Server_FQDN:443

From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"

From:
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
To:
SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

From:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

To:
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

15. Remove the section bellow:
<Directory "/var/apache2/cgi-bin">
16. Stopping Apache from command line:
/usr/apache2/bin/apachectl stop
17. Starting Apache from command line:
/usr/apache2/bin/apachectl startssl

Labels: , ,

Tuesday, January 5, 2010

Drupal and Apache Web Site Security Checklist

Blog Has Moved

Link to the same post in the new blog: Drupal and Apache Web Site Security Checklist

This days more and more people are using Drupal to maintain their web sites.
With the popularity comes the security risks (see: http://drupal.org/security).

Here is a very good guide I found on the web, for securing Drupal on Apache web servers:

Part 1:
http://nadeausoftware.com/articles/2009/05/drupal_and_apache_web_site_security_checklist_part_1
Part 2:
http://nadeausoftware.com/articles/2009/06/drupal_and_apache_web_site_security_checklist_part_2
Part 3:
http://nadeausoftware.com/articles/2009/07/drupal_and_apache_web_site_security_checklist_part_3


Thanks to Nadeau software consulting.

Labels: , ,