Securing Http with SSL/TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS, also known as SSL v3.1)  are the most popular protocols used in many web sites to secure web transactions.  It uses a different URL schema https other than http, and the port by default of https is 843 other than 80 of http by default.

Apache is the most widely used http server.  It will be chosen as http server of our GUI. Apache server has lots of extension modules could be used depends on your product’s requirement.  There is a SSL module, relies on openssl, could be used to secure http.

In order to use apache server we need to download the source code from its web site, and compile the source code to generate a binary version. There are some tools must be preinstalled in the build server before compiling apache server with SSL module:
• gcc
• openssl-devel
• apr/apr-util

apr/apr-util is optional because the apache source code package has included its source code. You can install it manually if you don’t have it in place. If you have a apr/apr-util with version less than 1.2, please upgrade them to 1.2 before compiling apache , and use the --with-apr/--with-apr-util option to specify the new installed apr/apr-util.

Install apr/apr-util manually:

# Build and install apr 1.2
cd srclib/apr
./configure --prefix=/usr/local/apr-httpd/
make
make install

# Build and install apr-util 1.2
cd ../apr-util
./configure --prefix=/usr/local/apr-util-httpd/ --with-apr=/usr/local/apr-httpd/
make
make install

After all of the tools have been installed, now start compiling apache server:

#Build and install apache, here you can specify other options to #enable or disable a module
./configure --enable-mods-shared=most --enable-ssl=shared \
--enable-proxy=shared --enable-proxy-http=shared \
--enable-rewrite=shared --with-apr=/usr/local/apr-httpd/ \
--with-apr-util=/usr/local/apr-util-httpd/ 
make
make install

If succeeding to build and install apache you will get a binary apache server under the default folder /usr/local/.

Then we need to enable https through the following steps:
• generate the private key and certificate against openssl tool
• modify httpd.conf and httpd-ssl.conf to specify the location of the private key and certificate.

Usually there are three methods to generate a certificate:
• A self-signed certificate: the easiest way to use and deploy
• Trusted CA signed certificate: the recommended way, but it usually needs an extra expensivie cost.
• Local CA signed certificate: used in intranet usually

We will use the self-signed certificate for in our GUI for easy deployment. That could be integrated into our installation package easily.

#generate a RSA private key with 1024 bit

openssl genrsa -out /usr/local/apache2/conf/server.key 1024

#generate a certificate signing request (csr)
openssl  req -new -key server.key -out server.csr

#generate a self-signed certificate
openssl req -x509 -days 365 -key server.key -in server.csr -out server.crt

Then we should modify /usr/local/apache2/conf/httd.conf. We only need to do the following modifications:

#uncomment the following item

Include conf/extra/httpd-ssl.conf

#turn on rewrite engine to rewrite http to https in case of wrong #address by mistake.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Also need to modify httpd-ssl.conf:

#uncomment the following items
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

Now you can start apache server to check if the https works well by visiting the following address: https://{IP_ADDRESS}