Stupka po Stupka: Apache 2 s poddruzhka na SSL/TLS, CHast II
	ot Bondoff(20-02-2005) reiting (9)   [ dobre ]  [ zle ]  Variant za otpechatvane Instalirane na Apache s poddruzha na SSL/TLS Purvata stupka, koiato trabva da predpriemem, kakto kazahme v CHast I, e da si instalirame Apache 2 ueb survur, i da suzdadem v sistemata potrebitel i grupa s ime “apache”. Predi da izpulnim komandata ./configure, sus suotvetnite optsii, shte nablegna na optsiite “--enable-ssl” “--enable-setenvif”, koeto oznachava, che osven mod_ssl, shte imate vuzmozhnost i da vklyuchvate modulut mod_setenvif. Tova e neobhodimo za da ima suvmestimost na survura s niakoi versii na MS Internet Explorer. ./configure \ --prefix=/usr/local/apache2 \ --with-mpm=prefork \ --enable-ssl \ --disable-charset-lite \ --disable-include \ --disable-env \ --enable-setenvif \ --disable-status \ --disable-autoindex \ --disable-asis \ --disable-cgi \ --disable-negotiation \ --disable-imap \ --disable-actions \ --disable-userdir \ --disable-alias \ --disable-so Sled konfiguratsiiata sledva standartna protsedura: make su umask 022 make install chown -R root:sys /usr/local/apache2 Konfigurirane na SSL/TLS Predi da startirame Apache za purvi put, estestveno shte triabva da go konfigurirame i sushto taka, shte suzdadem niakakva malka ueb stranitsa za provezhdane na testove. Kato nachalo e neobodimo da izpulnim slednoto (kato root): Suzdavame malka ueb stranitsa, koiato shte bude dostigana prez TLS/SSL: umask 022 mkdir /www echo "Test \ Test works." > /www/index.html chown -R root:sys /www Promenete nastroikite na konfiguratsionniia fail na Apache 2 (koito v nashiia sluchai se namira v /usr/local/apache2/conf/httpd.conf) s posochenite: # ================================================= # Basic settings # ================================================= User apache Group apache ServerAdmin webmaster@www.seccure.lab ServerName www.seccure.lab UseCanonicalName Off ServerSignature Off HostnameLookups Off ServerTokens Prod ServerRoot "/usr/local/apache2" DocumentRoot "/www" PidFile /usr/local/apache2/logs/httpd.pid ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard DirectoryIndex index.html # ================================================= # HTTP and performance settings # ================================================= Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 30 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 0 # ================================================= # Access control # ================================================= Options None AllowOverride None Order deny,allow Deny from all Order allow,deny Allow from all # ================================================= # MIME encoding # ================================================= TypesConfig /usr/local/apache2/conf/mime.types DefaultType text/plain AddEncoding x-compress .Z AddEncoding x-gzip .gz .tgz AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-tar .tgz AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # ================================================= # Logs # ================================================= LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache2/logs/error_log CustomLog /usr/local/apache2/logs/access_log combined CustomLog logs/ssl_request_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b" # ================================================= # SSL/TLS settings # ================================================= Listen 0.0.0.0:443 SSLEngine on SSLOptions +StrictRequire SSLRequireSSL SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLMutex file:/usr/local/apache2/logs/ssl_mutex SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm SSLSessionCacheTimeout 600 SSLPassPhraseDialog builtin SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key SSLVerifyClient none SSLProxyEngine off AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Zabelezhka: Estestveno shte triabva da promenite niakoi ot nastroikite vuv faila kato naprimer imeto na ueb survura, e-mail na administratora i t.n. Suzdavame direktoriia kudeto shte suhraniavame chastniia klyuch na ueb survura, sertifikatite i spisuka s anuliranite sertifikati (CRLs): umask 022 mkdir /usr/local/apache2/conf/ssl.key mkdir /usr/local/apache2/conf/ssl.crt mkdir /usr/local/apache2/conf/ssl.crl Suzdavame self-signed sertifikat na survura (molia izpolzvaite tozi sertifikat samo za test na survura si – originalniia sertifikat triabva dapoluchite ot originalen SA survur, naprimer Verisign): openssl req \ -new \ -x509 \ -days 30 \ -keyout /usr/local/apache2/conf/ssl.key/server.key \ -out /usr/local/apache2/conf/ssl.crt/server.crt \ -subj '/CN=Test-Only Certificate' Za sega shte stprem do tuk. V poslednata chast na statiiata, shte vidite kak se testva survur i shte posochim niakoi metodi za tursene i premahvane na greshki << Nelegitimen dostup do resursi (ueb-bazirani poshtenski uslugi) | Promqna firmware-a na Linksys WRT54G s Linux >>

Komentari: (obshto 8)	Otseneni s -1 0 1 2 3 4 5 ili poveche	[Pulen pregled>>]
[Dobavi komentar]

• Niakolko vuproscheta [20-02-2005] {1/Neutralen}
• Otgovor [20-02-2005] {1/Neutralen}
• Propusk+greshki [20-02-2005] {1/Neutralen}
• Za propuskite i greshkite [21-02-2005] {1/Neutralen}
• downgrade-1.0 MSIE [21-02-2005] {1/Neutralen}
• Ako mozheshe no ne mozhe ... [21-02-2005] {1/Neutralen}
• Artur Maj li ti e drugiia psevdonim ? [21-02-2005] {1/Neutralen}
• Hm.... [23-02-2005] {1/Neutralen}