# APACHE using SSL

## KraziKid

I just set up apache using ssl and php following the directions in the Dekstop Doc, and had a few questions.  How do I make it so a webpage is only accessible through SSL, using https://, and not both http:// and https://?  Also, how do I make it so a webpage requires a log in?  I know these are n00b web questions, but I'm used to programming in High Level languages, and not Markup langauges.  So if anyone can help, it would be appreciated.

----------

## kashani

Step 1: Edit your /etc/apache/conf/apache.conf file and comment out the following lines.

Port 80

Listen 80

Step 2: Create a password file and a username.

htpasswd -c /path/to/htpasswd/file username_to_add

to add additional users it's

htpasswd /path/to/htpasswd/file username

You'll want to put this in folder that isn't in the avaible to users via the web. I put mine in a fie I created, /home/httpd/private/admins

Just don't put it anywhere inside your htdocs dir.

Step 3: create the .htaccess file in the dir you want to protect.

cd /home/httpd/htdocs/

vi .htaccess and write the following lines

AuthType        Basic

AuthName        ByPassword

AuthUserFile    /path/to/htpasswd/file

require         valid-user

Step 4: Create a better SSL cert. Some browsers don't like the default cert, best to fix that off the bat.

cd /etc/apache/conf/ssl

a. create the key using a pass phrase

openssl genrsa -des3 -out secure.key 1024

b. make a unsecure copy of your key

 openssl rsa -noout -text -in unsecure.key

c. decide whether you want to use a secure or unsecure key. The unsecure will load without any problems. The secure key will require your key phrase or ssl won't load. I recommend using the clear text key especially if self generating a crt.

cp unsecure.key server.key

or 

cp secure.key server.key

rm unsecure.key

d. generate a cert

openssl req -new -x509 -days 365 -key server.key -out server.crt

Step 5

You must stop and then start apache for this to take affect. 

This is a pretty bare bones installtion, not overly secure, but it'll work and be good enough for most situations.

kashani

----------

## KraziKid

Thank's that worked perfectly.  One thing didn't work though, I could not create an unsecure certificate, but I don't mind because I want it to be secure.  But thanks again.  Also, do I always have to enter the passphrase on apache startup?  I usually try to keep my server up as long as possible, but was wondering if when rebooted, does it ask me for the passphrase, or just load?  And, is there a way to bypass that so I do not have to enter the password on apache startup, or is that a security feature?

Edit:  Nevermind, I figured out what you meant on how when you use an unsecure test key, apache does not ask for the pass to start up.  But one thing, I needed to modify your unsecure key generator to say:

```

openssl rsa -text -in secure.key -out unsecure.key

```

I hope I did this right, but it works.  So, thanks again.

----------

## kashani

 *KraziKid wrote:*   

> I usually try to keep my server up as long as possible, but was wondering if when rebooted, does it ask me for the passphrase, or just load?  And, is there a way to bypass that so I do not have to enter the password on apache startup, or is that a security feature?

 

SSL will not load without the key. There are three ways to deal with the above.

1. use the clear text key and apache will load automatically. You can lock down the permissions of the files so only root can read them.

2. Put the password in manually when you start the server.

3. Create a script and change the... uh... SSHdialog something or another directive in /etc/apache/conf/addon-modules/mod_ssl.conf. Of course the key phrase will be in your script somewhere so this isn't much better then 1 without some heavy scripting.

Since you're using an unverified certificate (you didn't pay verisign) or anything it's probably not a big deal to go with method number 1. The only reason to go after a crt is to spoof your box to the rest of the internet, which someone could just create on their own unless you get a real crt. 

Can you tell what I spent a large part of the week working on?  :Smile: 

kashani

----------

## KraziKid

 *kashani wrote:*   

> 
> 
> Can you tell what I spent a large part of the week working on? 
> 
> kashani

 

Yeah, LOL.  Thanks again.  One more quick thing though.  Did I edit your code properly to create the unsecure plain text key?

Here's what I made it to:

```

openssl rsa -text -in secure.key -out unsecure.key 

```

and here is what you said:

```

openssl rsa -noout -text -in unsecure.key 

```

Your's did not work, so I decided to play around, and the way I did it produced results.  So I was wondering if what I did was what you meant?

----------

## kashani

I stole all my info from this site which has much more info on this.

http://www.iu.hio.no/~mark/WebCourse/node25.html

kashani

----------

## rizzo

A friend has directed me to the script at /usr/lib/ssl/mod_ssl/gentestcrt.sh.  It generated the two files needed and is working great for me (once I remembered to forward port 443 to my webserver :p)

----------

