Saturday, February 25, 2012

Configuring Apache to use SSL to secure web traffic

Configuring Apache to secure web traffic is pretty straight forward but as with many things one simple error can cause it to fail to work as it is intended.  I would like to share how I've configured Apache to use SSL to secure web traffic and I'll include a couple of pitfalls that you may run across.  In the end it is a simple process, but it is an essential one to keep your data and your users safe from the possibility of usernames and passwords or other sensitive information from being captured somewhere between the server and the client.  I use SSL to secure all of my web servers whether they are running on Windows or Linux and whether they are accessible from the public internet or only from the local network.  No matter how secure you may think your LAN is or how trustworthy your users are, encrypting network traffic will guarantee that client-server communications are secured against eavesdropping.  Of course any traffic containing sensitive information traversing a public network should be secured without question.

Before configuring Apache, you must first acquire an SSL certificate from a certificate authority that your users will trust.  Depending on where your web site or application will be accessible and what resources you have at your disposal, you can either obtain a certificate from a trusted third party CA or from a CA in your own enterprise public key infrastructure.  I happen to work with a predominantly Windows infrastructure, so I used my Windows Server 2008 R2 CA to generate the certificate.  If you decide, like I did, to use a certificate that is not from a third party CA, Firefox users will be presented with the warning message "This connection is untrusted".  Each user will have to import either the server certificate or the CA certificate in Firefox to avoid the warning. Internet Explorer, Chrome and Safari browsers will trust the Windows CA because they use the integrated Windows certificate store which will contain a copy of your Windows CA certificate and trust it.  If you're expecting that a lot of your site visitors will be using non-windows devices or predominantly Firefox, then save yourself a support headache and buy a certificate from a third party CA.

Once you have your server certificate you can finish the SSL configuration. The particular server that I'm using as an example is running CentOS 6.2.  You will need to check file locations for your distribution if it is different.  The default configuration for Apache running on CentOS is to use '/etc/httpd/conf/httpd.conf' as well as all '.conf' files located in '/etc/httpd/conf.d' because 'httpd.conf' contains the following directive.

Include conf.d/*.conf

The only indication that I'm running this server over SSL from httpd.conf is the directive:

ServerName server.domain.local:443 
I left 'Listen 80' in 'httpd.conf' so that my clients could connect to the web site without specifying either "https" or appending ":443" to my site address.  Everything else is configured in '/etc/httpd/conf.d/ssl.conf'. Be sure that only one of your .conf files contains the directive 'Listen 443', which I have in ssl.conf.  If you include it in both your 'httpd.conf' and 'ssl.conf' Apache will fail to start with an "address already in use" error message.

You can leave the majority of  'ssl.conf' with the default configuration that ships with Apache but make sure that it includes 'SSLEngine On'.  The primary lines that you will need to edit in 'ssl.conf' tell Apache which certificates to present to your users' web browsers as well as which private key is associated with the server certificate.  It is the public key / private key pair that are the basis of SSL cryptography.  The public key is provided to the client in the certificate and the private key is held by the server.  Those keys combined with agreed upon encryption algorithms and random number generation provide the session keys that are used by both parties to encrypt a particular conversation.  Here are the directives from 'ssl.conf':

SSLCertificateFile /etc/pki/tls/certs/server.domain.local.crt
SSLCertificateKeyfile /etc/pki/tls/private/server.domain.local.key
SSLCACertificateFile /etc/pki/tls/certs/ca.domain.local.crt
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 

The names of these directives make them self-documenting.  The last line is not strictly needed and I'm not using it, but I thought I'd include it for completeness.  My server certificate was generated by the root CA in my PKI, so in my case there is no server chain to speak of.  It's also not needed if your server certificate contains a concatenated list of all of the certificates of any intermediate certificate authorities in the certification chain.

To test your configuration run 'service httpd restart' and browse to your site in the web browsers that your users are likely to be using.  If everything is working properly you should see http redirect to https automatically.  If something isn't working right, check your configuration files for misspellings or other syntax errors and check '/var/log/httpd/error_log' for any other indications of what might be going wrong.  One thing that lies outside of the Apache configuration that will stop traffic cold is firewall rules.  Check your iptables rules to make sure that you are allowing inbound connections on ports 80 and 443.  If you have any doubts about where a problem may lie you can turn your firewall off temporarily just to rule out that possibility.  Securing your web traffic with SSL is fairly easy, but it is essential for keeping your data and your users safe.

No comments:

Post a Comment