asg14.htm

apache技术手册

<P>In you live outside of the United States and Canada, then the United States patent on the public-key cryptographic system doesn't apply to you. Apache-SSL, with its own implementation of the RSA algorithm that doesn't incorporate any code from the RSAREF toolkit, can be used legally anywhere but in the United States and Canada. In those two countries it violates U.S. patent law. To be certain, you may also want to become aware of other local restrictions and regulations regarding the use of cryptographic technology before you implement a server that uses this technology.

<BR>

<BR>

<A NAME="E68E161"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>Installing Apache-SSL</B></FONT></CENTER></H3>

<BR>

<P>For users outside of the U.S. and Canada, Apache-SSL is distributed in patch form (note the version of the patches). The patches can be obtained from <A HREF="javascript:if(confirm('http://www.algroup.co.uk/Apache-SSL  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.algroup.co.uk/Apache-SSL'" tppabs="http://www.algroup.co.uk/Apache-SSL"> http://www.algroup.co.uk/Apache-SSL</A>. You'll also need the SSLeay libraries, available in source form from <A HREF="javascript:if(confirm('http://www.psy.uq.oz.au/~ftp/Crypto  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.psy.uq.oz.au/~ftp/Crypto'" tppabs="http://www.psy.uq.oz.au/~ftp/Crypto"> http://www.psy.uq.oz.au/~ftp/Crypto</A>, and pick the latest version. You'll also need to verify that you have a matching version of the Apache server from <A HREF="javascript:if(confirm('http://www.apache.org/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.apache.org/'" tppabs="http://www.apache.org/"> http://www.apache.org</A>.

<BR>

<P>As of this writing, the patches were for Apache version 1.1.1. The files you'll need are

<BR>

<UL>

<UL>

<P>Apache source: apache_1.1.1.tar.gz

</UL></UL>

<UL>

<UL>

<P>SSLeay library: SSLeay-0.6.3.tar.gz

</UL></UL>

<UL>

<UL>

<P>SSL patches: apache_1.1.1+1.3.ssl.tar.gz

<BR>

</UL></UL>

<P>You should move all the distribution files to a directory. You can use Apache Server as a temporary holder. Here's how the patches are unpacked and applied. Note that apache_1.1.1+1.3.ssl.tar.gz is unpacked in the Apache 1.1.1 distribution directory. Doing this will install additional files for the patch program as well as create some files unique to the SSL distribution. The SSL patches are applied with the patch utility. If your system does not have patch, I have included a copy on the CD-ROM. Otherwise, you can download the latest version from <A HREF="javascript:if(confirm('ftp://prep.ai.mit.edu/systems/gnu/patch-2.1.tar.gz  \n\nThis file was not retrieved by Teleport Pro, because it did not meet the project\'s file type specifications.  \n\nDo you want to open it from the server?'))window.location='ftp://prep.ai.mit.edu/systems/gnu/patch-2.1.tar.gz'" tppabs="ftp://prep.ai.mit.edu/systems/gnu/patch-2.1.tar.gz"> ftp://prep.ai.mit.edu/systems/gnu/patch-2.1.tar.gz</A>.

<BR>

<P>Before compiling SSLeay, read the INSTALL document. Then edit Makefile.ssl to match your system configuration. If your perl binary is in /usr/local/bin/perl and you don't mind installing the libraries and other programs in /usr/local/ssl, all you may need to do is set up your compiler options.. When you are done, run the Configure program. Here's a listing of the commands you'll need to apply:

<BR>

<PRE>

<FONT COLOR="#000080">% mkdir ApacheServer

% mv apache_1.1.1 ApacheServer

% mv SSLeay-0.6.3.tar.gz ApacheServer

% cd ApacheServer

% gzcat apache_1.1.1.tar.gz | tar -xf -

% cd apache_1.1.1

% gzcat ../apache_1.1.1+1.3.ssl.tar.gz | tar -xf -

% patch &lt; SSLpatch

% cd ..

% gzcat SSLeay-0.6.3.tar.gz | tar -xf -

% cd SSLeay-0.6.3

% ./Configure <I>os-compiler</I></FONT></PRE>

<P>Replace <I>os-compiler</I><I> </I>with the name of your system. To see a list of available configurations, run Configure, but don't provide an argument. Run by issuing make at the command prompt:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">% make</FONT></PRE>

<P>After a while the libraries and tools will be built. To install them in their proper places, execute as root: make install.

<BR>

<P>After the libraries compile properly, you'll need to edit the Apache src/Configuration file. For an idea of a basic configuration, see <A HREF="asg02.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg02.htm">Chapter 2</A>, &quot;Installing and Configuring the Apache Server.&quot; The SSL patch installed a few more directives in this file that you need to set values for. The ones you'll want to look for are SSL_BASE.

<BR>

<P>I set SSL_BASE=../../SSLeay-0.6.1 to the location of our SSLeay-0.6.1 distribution. You should be able to do a make and the binary httpsd will be built. Move the httpsd binary to the apache_1.1.1 directory:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">% mv httpsd ../</FONT></PRE>

<P>At this point your software is properly installed. The next step is configuring the software and generating a CA so that you can use the software.

<BR>

<BR>

<A NAME="E69E166"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>Configuring Apache-SSL</B></FONT></CENTER></H4>

<BR>

<P>Before you configure Apache-SSL you'll need to generate a Certificate Request. A test certificate can be generated simply by issuing a make certificate in the apache-sll/src directory:

<BR>

<PRE>

<FONT COLOR="#000080">control1 &gt; make certificate

../../SSLeay-0.6.1/apps/ssleay req -config ../../SSLeay-0.6.1/apps/ssleay.conf -new -x509 -nodes -out ../SSLconf/conf/httpsd.pem -keyout ../SSLconf/conf/httpsd.pem; ln -s ../SSLconf/conf/httpsd.pem ../SSLconf/conf/`../ ../SSLeay-0.6.1/apps/ssleay x509 -noout -hash &lt; ../SSLconf/conf/httpsd.pem`.0

Generating a 512 bit private key

..+++++

.....................+++++

writing new private key to '../SSLconf/conf/httpsd.pem'</FONT></PRE>

<P>Next, you'll be prompted to enter information about yourself and your company. Follow the directions:

<BR>

<PRE>

<FONT COLOR="#000080">You are about to be asked to enter information that will be incorperated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:DO

State or Province Name (full name) [Queensland]:Distrito Nacional

Locality Name (eg, city) []:Santo Domingo

Organization Name (eg, company) [Mincom Pty Ltd]:CXA

Organizational Unit Name (eg, section) [MTR]:&quot;&quot;

Common Name (eg, YOUR name) []:

Email Address []:webmaster@CXA.DO</FONT></PRE>

<P>Next, you'll need to edit the SSLconf/conf/httpd.conf file. This file contains many of the same configuration directives as conf/httpd.conf, but it also includes directives for specifying the location of the certificate and other things. The directives you need to set are fully documented.

<BR>

<BR>

<A NAME="E68E162"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>Installing and Configuring Stronghold</B></FONT></CENTER></H3>

<BR>

<P>Stronghold comes as a prebuilt binary, and it is by far the easiest Apache server to install. Community ConneXion has made a very nice interactive shell script that installs and configures both servers (the distribution includes both the non-SSL version of Apache (httpd) and Stronghold (httpsd). A future version, currently under development, will implement both the secure and plain servers in one server process.

<BR>

<P>To start the installation process, type the following:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"># ./Install.sh</FONT></PRE>

<P>The program will show you a list of the available prebuilt binaries (if your distribution contains more than one). Enter the name of the operating system matching your platform like this:

<BR>

<PRE>

<FONT COLOR="#000080">Available platforms:

Pick your platform &gt; <I>NS</I></FONT></PRE>

<P>Next, it will ask you where to store the SSL security utilities. Enter a different pathname if you want Stronghold stored elsewhere.

<BR>

<PRE>

<FONT COLOR="#000080">Where do you want to install SSLeay? [/usr/local/ssl]

Testing permissions...done

Installing SSLeay...done</FONT></PRE>

<P>The installation script will then ask for the name of the directory where Stronghold will store Apache and other files necessary for the operation of the Web server.

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">Where would you like to locate the ServerRoot? [/usr/local/apache]</FONT></PRE>

<P>Next it will request a directory for the normal logs (nonsecure transactions).

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">Where would you like to locate the non-SSL logs? [/usr/local/apache/logs]</FONT></PRE>

<P>And for the secure transaction logs:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">Where would you like to locate the SSL logs? [/usr/local/apache/ssl_logs]</FONT></PRE>

<P>Next, the script will configure some of the server runtime configuration directives. First, it will request the server name. If the server will use an alias such as www.company.com, enter that name here:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">What's the name of your server? [www.company.com]</FONT></PRE>

<P>Next, it will ask you for the e-mail address for the administrator responsible for this site. This address gets returned to the client in case of an error:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">What is the email address of the server admin? [webmaster@company.com]</FONT></PRE>

<P>Next, it will ask you for the TCP port address for the plain (non-SSL) server. The standard HTTP port is 80:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">What port do you want to run the plain server on? [80]</FONT></PRE>

<P>Next, it will ask you for the TCP port address for the SSL server. The standard SSL port is 443:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">What port do you want to run the SSL server on? [443]</FONT></PRE>

<P>The following setting will control the user ID (UID) that the children server processes will run as. It should be set to a UID with minimal privileges, such as nobody:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">What user should the server run as? [nobody]</FONT></PRE>

<BLOCKQUOTE>

<BLOCKQUOTE>

<HR ALIGN=CENTER>

<BR>

<NOTE>Never set the UID the server runs as to root!</NOTE>

<BR>

<HR ALIGN=CENTER>

</BLOCKQUOTE></BLOCKQUOTE>

<P>The final setting will control the group ID (GID) that the children server processes will run as. It should be set to a UID with minimal privileges, such as nogroup:

<BR>

<PRE>

<FONT COLOR="#000080">What group should the server run as? [nogroup]

Installing Stronghold...done

Configuring Stronghold...done</FONT></PRE>

<P>At this point the basic software is configured. The installation program will add the /usr/local/ssl path to your environment. This will allow you to use the installed utilities without having to type their complete pathnames. You should follow the instructions printed by the program and add them to your .cshrc, .login, or .profile files. The instructions printed are:

<BR>

<PRE>

<FONT COLOR="#000080">Now you must add SSLTOP=/usr/local/ssl to your environment.

Also add /usr/local/ssl/bin to your PATH.

Edit your .cshrc, .login, or .profile appropriately:

csh:

&gt; setenv SSLTOP /usr/local/ssl

&gt; setenv PATH /usr/local/ssl/bin:/etc:/usr/etc:/usr/ucb:/bin:/usr/bin:/usr/ local/bin:/usr/sybase/bin:/.

sh:

$ SSLTOP=/usr/local/ssl

$ PATH=/usr/local/ssl/bin:/etc:/usr/etc:/usr/ucb:/bin:/usr/bin:/usr/local/bin:/ usr/sybase/bin

$ export SSLTOP PATHHit return when ready:</FONT></PRE>

<P>You now need to generate the public/private encryption key pair. If you don't have an existing key, type B and follow the instructions:

<BR>

<PRE>

<FONT COLOR="#000080">Now you need to install a key/cert pair.

A) Convert an existing Netscape Commerce key/cert pair

B) Generate a new key/cert pair

Choose [A/B] B

The key will be called www.key.

The certificate will be called www.cert.

They will be stored in /usr/local/ssl

Hit return:

********* READ ME *************

You are now generating a new key and key request. The key request will be

sent to the CA of your choice and the keyfile will reside

/usr/local/ssl/private/www.key.

If you have already sent off a key request for this server before, make

sure you aren't overwriting your old key which is awaiting a corresponding

certificate from your CA.

If they key generation fails, move the file

/usr/local/ssl/private/www.key to a backup location and try again.

********* READ ME *************

Hit return:

Choose the size of your key. The smaller the key you choose the faster your

server response will be, but you'll have less security. Keys of less than 512

bits are trivially cracked, while for high security applications you