quick-docs/modules/ROOT/pages/_partials/proc_securing-apache-httpd.adoc
2018-07-27 18:53:34 +02:00

121 lines
3.7 KiB
Text

[id='securing-apache-httpd']
= Securing Apache HTTPD
To enable TLS/SSL support, download and install one of the following packages:
* https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl], based on https://www.openssl.org[OpenSSL]
* https://apps.fedoraproject.org/packages/mod_gnutls[mod_gnutls], based on https://www.gnutls.org/[GnuTLS]
* https://apps.fedoraproject.org/packages/mod_nss[mod_nss], based on https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS]
[id='using-mod-ssl']
== Using mod_ssl
[id='installing-mod-ssl']
=== Installing mod_ssl
The https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package will be automatically enabled post installation. Install the https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package using the following command:
----
# dnf install mod_ssl -y
----
[id='generating-new-certificate']
=== Generating a new certificate
To generate a new certificate, refer to https://fedoraproject.org/wiki/Https#openssl[Create a certificate using OpenSSL].
// The topic ID can be used here instead of the absolute link. Have used absolute link as the destination content in question is in a topic that may not be a part of this activity.
[id='installing-existing-certificate']
=== Installing an existing certificate
If you already have a certificate generated on another computer, do the following:
. Move the certificate and the key file to the correct folder
+
----
# mv key_file.key /etc/pki/tls/private/myhost.com.key
# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt
----
+
. Ensure that the following parameters are correct:
+
.. SELinux contexts
+
----
# restorecon /etc/pki/tls/private/myhost.com.key
# restorecon /etc/pki/tls/certs/myhost.com.crt
----
+
.. Ownership
+
----
# chown root.root /etc/pki/tls/private/myhost.com.key
# chown root.root /etc/pki/tls/certs/myhost.com.crt
----
+
.. Permissions
+
----
# chmod 0600 /etc/pki/tls/private/myhost.com.key
# chmod 0600 /etc/pki/tls/certs/myhost.com.crt
----
After installing the existing certificate, set up the certificate using link:mod-ssl-configuration[mod_ssl configuration].
[id='mod-ssl-configuration']
=== mod_ssl configuration
The default TLS/SSL configuration is contained in the file `/etc/httpd/conf.d/ssl.conf`. In the `ssl.conf` file, following are the directives that specify where the TLS/SSL certificate and key are located:
----
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
----
These directives are enclosed in a block defining a https://httpd.apache.org/docs/current/vhosts/[virtual host]:
----
<VirtualHost _default_:443>
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
</VirtualHost>
----
To define a different location for these files, do the following:
. Create a copy of the `/etc/httpd/conf.d/ssl.conf` file and renew the file to `z-ssl-local.conf`.
+
. Edit the following lines in the `z-ssl-local.conf` file:
----
<VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key
</VirtualHost>
----
This file will override the two settings for the `pass:[_default_]:443` virtual host; all other settings from `ssl.conf` will be retained.
[id='settings-individual-virtual-hosts']
=== Settings for individual virtual hosts
To use SSL/TLS for a specific virtual host with a different certificate as default, do the following:
. Open that virtual host's configuration file `/etc/httpd/conf.d/hostname.conf`.
+
. Insert these lines between `<VirtualHost hostname:port>` and `</VirtualHost>`:
+
----
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key</pre>
----