quick-docs/modules/ROOT/partialsdelete/2delete-proc_securing-apache-httpd.adoc

122 lines
3.8 KiB
Text
Raw Normal View History

[id='securing-apache-httpd']
2018-01-01 17:26:10 +00:00
= Securing Apache HTTPD
To enable TLS/SSL support, download and install one of the following packages:
* https://packages.fedoraproject.org/pkgs/httpd/mod_ssl/[mod_ssl], based on https://www.openssl.org[OpenSSL]
* https://packages.fedoraproject.org/pkgs/mod_gnutls/mod_gnutls/[mod_gnutls], based on https://www.gnutls.org/[GnuTLS]
* https://packages.fedoraproject.org/pkgs/mod_nss/mod_nss/[mod_nss], based on https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS]
2018-01-01 17:26:10 +00:00
[id='using-mod-ssl']
2018-01-01 17:26:10 +00:00
== Using mod_ssl
[id='installing-mod-ssl']
2018-01-01 17:26:10 +00:00
=== Installing mod_ssl
The https://packages.fedoraproject.org/pkgs/httpd/mod_ssl/[mod_ssl] package will be automatically enabled post installation. Install the https://packages.fedoraproject.org/pkgs/httpd/mod_ssl/[mod_ssl] package using the following command:
----
sudo dnf install mod_ssl -y
----
2018-01-01 17:26:10 +00:00
[id='generating-new-certificate']
=== Generating a new certificate
To generate a new certificate, refer to https://fedoraproject.org/wiki/Https#openssl[Create a certificate using OpenSSL].
// The topic ID can be used here instead of the absolute link. Have used absolute link as the destination content in question is in a topic that may not be a part of this activity.
2018-01-01 17:26:10 +00:00
[id='installing-existing-certificate']
2018-01-01 17:26:10 +00:00
=== Installing an existing certificate
If you already have a certificate generated on another computer, do the following:
. Move the certificate and the key file to the correct folder
+
----
sudo mv key_file.key /etc/pki/tls/private/myhost.com.key
sudo mv certificate.crt /etc/pki/tls/certs/myhost.com.crt
----
2018-01-01 17:26:10 +00:00
+
. Ensure that the following parameters are correct:
+
.. SELinux contexts
+
----
restorecon /etc/pki/tls/private/myhost.com.key
restorecon /etc/pki/tls/certs/myhost.com.crt
----
2018-01-01 17:26:10 +00:00
+
.. Ownership
+
----
sudo chown root.root /etc/pki/tls/private/myhost.com.key
sudo chown root.root /etc/pki/tls/certs/myhost.com.crt
----
2018-01-01 17:26:10 +00:00
+
.. Permissions
+
----
sudo chmod 0600 /etc/pki/tls/private/myhost.com.key
sudo chmod 0600 /etc/pki/tls/certs/myhost.com.crt
----
2019-03-22 15:20:33 +00:00
After installing the existing certificate, set up the certificate using <<mod_ssl configuration>>.
2018-01-01 17:26:10 +00:00
[id='mod-ssl-configuration']
2018-01-01 17:26:10 +00:00
=== mod_ssl configuration
The default TLS/SSL configuration is contained in the file `/etc/httpd/conf.d/ssl.conf`. In the `ssl.conf` file, following are the directives that specify where the TLS/SSL certificate and key are located:
----
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
----
These directives are enclosed in a block defining a https://httpd.apache.org/docs/current/vhosts/[virtual host]:
----
<VirtualHost _default_:443>
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
</VirtualHost>
----
To define a different location for these files, do the following:
. Create a copy of the `/etc/httpd/conf.d/ssl.conf` file and renew the file to `z-ssl-local.conf`.
+
. Edit the following lines in the `z-ssl-local.conf` file:
----
<VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key
</VirtualHost>
----
This file will override the two settings for the `pass:[_default_]:443` virtual host; all other settings from `ssl.conf` will be retained.
2018-01-01 17:26:10 +00:00
[id='settings-individual-virtual-hosts']
2018-01-01 17:26:10 +00:00
=== Settings for individual virtual hosts
To use SSL/TLS for a specific virtual host with a different certificate as default, do the following:
2018-01-01 17:26:10 +00:00
. Open that virtual host's configuration file `/etc/httpd/conf.d/hostname.conf`.
+
. Insert these lines between `<VirtualHost hostname:port>` and `</VirtualHost>`:
2018-01-01 17:26:10 +00:00
+
----
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
----