FreeBSD Tutorial - Setup Apache mod OpenSSL for HTTPS

The Apache web server has been around for years, and now its users continue to grow. mod_ssl provides better security for the apache web server and can be installed on almost all versions of apache and all operating systems such as FreeBSD, Linux, MacOS and Windows.

Secure Sockets Layer Protocol or often called SSL is a security protocol that can be placed between the TCP/IP network layer protocol and the HTTP application layer protocol. SSL mod on apache provides secure communication between client and server, This mod will perform authentication and use digital signatures for integrity and encryption for privacy. Currently there are two versions of SSL that are still in use, namely version 2 and version 3.

SSL/TLS uses Public Key Cryptography (PKC), known as asymmetric PKC Cryptography. Public key cryptography is used in situations where the client and server do not share the same secret, for example between a browser and a web server, but both want to build a security system with a trusted channel for their communications.

Public Key Cryptography or PKC defines an algorithm that uses two keys, each key can be used to encrypt a message. If one key is used to encrypt a message, then another key must be used to decrypt it. This process is carried out to receive secure messages by only publishing one key (public key) and keeping the other key (private key) secret.

The public key can be encrypted by anyone, but only the owner of the private key can read it. For example, Mary sends a private message to the owner of the key pair (for example your web server), then the message from Mary will be encrypted using the public key published by your server. Only you can decrypt it using the appropriate private key.

Look at the image below.


The guide in this article will help you enable SSL mod for websites served on Apache web servers. The contents of this article only focus on creating SSL on Apache with the OpenSSL application.


1. Install OpenSSL

OpenSSL is a utility for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL is a free application and is the most widely used cryptographic library. The main purpose of creating applications is to secure connections on servers and within your software.

The OpenSSL installation process on FreeBSD is quite easy, there are no Start up rc.d settings, but the setup and implementation are a bit complicated and sometimes confusing. Please use the steps in this article guide.
root@ns3:~ # pkg install perl5
After you install Perl, you can immediately install OpenSSL. We recommend using FreeBSD systemports, so that the installation process is more perfect.
root@ns3:~ # cd /usr/ports/security/openssl
root@ns3:/usr/ports/security/openssl # make config
root@ns3:/usr/ports/security/openssl # make install clean
On FreeBSD there are many applications similar to OpenSSL, such as ca_root_nss, LibreSSL and others. So that by default FreeBSD uses OpenSSL security to encrypt and decrypt, in /etc/make.conf you type the following command.

DEFAULT_VERSIONS+=ssl=openssl


2. Create server.crt and server.key file

The first step you have to do so that Apache can connect to OpenSSL, create a server.key and server.crt file. To do this, we first create an SSL folder.
root@ns3:~ # cd /usr/local/etc/apache24
root@ns3:/usr/local/etc/apache24 # mkdir -p ssl
root@ns3:/usr/local/etc/apache24 # cd ssl
Generate server.key using openssl.
root@ns3:/usr/local/etc/apache24/ssl # openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..+++++
.............................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
The above command will create a server.key file and will ask for a password. Make sure to remember this password. You'll need this the next time you start your Apache.

Next, create a certificate request file, namely "server.csr", the process of creating this file will use the server.key file above.
root@ns3:/usr/local/etc/apache24/ssl # openssl req -new -key server.key -out server.csr
The final step is to create a self-signed ssl certificate (server.crt) using the server.key and server.csr files above.
root@ns3:/usr/local/etc/apache24/ssl # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


3. Enable mod SSL

The instructions below will guide you to enable SSL mode on Apache. The goal is so that OpenSSL and Apache can communicate with each other to secure your web server.

In almost all operating systems, the Apache configuration file is called "httpd.conf", the only difference is the location of the file. On FreeBSD this file is in the "/usr/local/etc/apache24" directory, open the file and activate the SSL script in the file, as in the example below.

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
Include etc/apache24/extra/httpd-ssl.conf


In the script above, we activate the httpd-ssl.conf file. Open the file and delete all the contents of the script, then you enter the script below into the "/usr/local/etc/apache24/extra/httpd-ssl.conf" file.

Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLHonorCipherOrder on 

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/data"
ServerName www.datainchi.com:443
ServerAdmin datainchi@gmail.com
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

SSLEngine on

SSLCertificateFile "/usr/local/etc/apache24/ssl/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/server.key"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Pay attention to the blue script, the script is the OpenSSL file that we created above. To test all the above configurations, restart the apache server.
root@ns3:~ # service apache24 restart
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 36862.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
Apache/2.4.58 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Private key www.datainchi.com:443:0 (/usr/local/etc/apache24/ssl/server.key)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
You will be asked to enter a password, type the password from the OpenSSL file you created above.

The next test is to open the web browser "Google Chrome" and type the command "https://192.168.5.2/".

This tutorial shows the basic installation and use of mod_ssl on an apache server with OpenSSL. Even though the command is very simple, its ability to protect web servers is very reliable and has been proven, because many people use OpenSSL as an SSL security system on Apache servers.


Next Post Previous Post
No Comment
Add Comment
comment url

You may also like