[GLLUG] configuring httpd.conf for https access

Emilio Xavier Esposito emilio.esposito at gmail.com
Mon Jul 27 11:08:10 EDT 2009 

Hi
I have setup a wiki and would like to insure that the passwords and
data sent between the client browser and the webserver are encrypted.
The username and password access for the website works but I have not
been able to figure out the secure connection.  Using the httpd.conf
(relevant portion below) the apache 2.0 webserver does not start and
no errors are currently returned to the log.  I am using MAMP
(www.mamp.info) on Mac OS X 10.5.7.

I have created the server.crt and server.key files using the following
commands and placed them in the
/Library/WebServer/Documents/wiki/ssl.crts directory.
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -x509 -nodes -sha1 -days 730 -key server.key -out server.crt

I would be very appreciative if someone could please point me in the
right direction with respect to what I need to change in my httpd.conf
(below) or if I have missed a step.  Once I have everything working I
plan on changing the allow/deny order and specifying specific IP
address ranges.

Thank you for your time and help
Emilio

from the  httpd.conf file:

SSLCACertificateFile    ssl.crts/server.crt
SSLCACertificateKeyFile ssl.crts/server.key

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/Library/WebServer/Documents/wiki">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
    Options All
#
# make this a real SSLv2-only server
#
    SSLProtocol all
    SSLCipherSuite SSLv2:HIGH:+MEDIUM:+LOW:+EXP

#   If HTTPS is used, make sure a strong cipher is used.
#   Additionally allow client certs as alternative to basic auth.
    SSLVerifyClient      optional
    SSLVerifyDepth       1
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128

#   Force clients from the Internet to use HTTPS
    RewriteEngine        on
    RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9][0-9][0-9]+$
    RewriteCond          %{HTTPS} !=on
    RewriteRule          .* - [F]

#   Allow Network Access and/or Basic Auth
    Satisfy              any

#   Network Access Control
    Order allow,deny
    Allow from all

#
# now the users info
#
    AuthType Basic
    AuthName theWiki
    AuthUserFile "/Users/steve/.htpasswd"
    Require user steve mary jason jane manny moe jack

</Directory>

More information about the linux-user mailing list