Lecture 14Security When you install a web server, security is one of the main issues that will concern you. How can you transfer data between the server and its clients safely? SSL enables your server to encrypt the data before they are send to the client and decrypt the data it receives from its clients. Beside that you may want to allow certain users access to your web server to perform certain tasks. This can be done by configuring your server to authenticate any user try to make a connection. Any unauthorized user will be denied access.
Secure Socket Layer with Apache:
Apache can be configured to handle HTTPS (HTTP over Secure Sockets Layer). The secure server encrypts the data in transit, making the exchange of information much harder to sniff.
Apache-SSL is a secure web server, based on Apache and SSLLeay/OpenSSL. The following steps describe the installation of the Win32 version of Apache with the mod_ssl extension:
1- Download Apache_1.3.22-Mod_SSL_2.8.5-OpenSSL_0.9.6b-WIN32.zipfrom ftp://ftp.modssl.uli.it/contrib/. Unpack the zip file and store it into a folder called ssl under C drive.
2- Copy ssleay32.dll and libeay32.dll from C:\ssl\openssl\bin to C:WINNT\System32
3- Download the configuration file openssl.cnf from
http://tud.at/programm/openssl.cnf (right click and save it to the folder C:\ssl\openssl\bin\openssl.cnf (overwrite the existing one)). If you cannot open it using Internet Explorer, use Netscape Navigator.
Next you have to perform the following instructions that are obtained from http://www.apache-ssl.org/#FAQ
This creates a certificate signing request and a private key.
When you are asked to “Enter PEM pass phrase”, you can type a 4 or more characters word of your choice. Retype this word when you are asked to “Verifying password - Enter PEM pass phrase”.
You will be asked for this phrase in the next step.
You will be asked about the country, province, city, organization name, and organization unit name .
When asked for "Common Name (your websites domain name)", give the exact domain name of your web server (e.g. localhost). The certificate belongs to this server name and browsers complain if the name doesn't match.
You will also be asked about the email address and a challenged password.
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers). Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
4- If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
C:\ssl\openssl\bin openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
5- Move my-server.key and my-server.cert into the C:\ssl\conf\ssl directory (you have to create ssl folder).
6- Edit httpd.conf and make the following changes:
LoadModule ssl_module modules/mod_ssl.so
Options Indexes FollowSymLinks MultiViews
Allow from all
# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info
SSLRandomSeed startup builtin
# You can later change "info" to "warn" if everything is OK
Following is the file httpd.conf after changing the configuration:
SSLRandomSeed startup builtin
After that, run the server from the command line:
If everything was fine, then you have a secure server running. To access this server you need to type the following URL:
Authentication under Apache:
When you have sensitive resources on your site, you may want to prevent unwanted access by using Authentication. The easiest way to use basic authentication under Apache is to use mod_auth module.
When a user tries to access a specific directory under the server, the browser will prompt a login dialog, and the user must provide a valid user name and password in order to access that directory.
Assume that we have a directory called store that is saved under htdocs directory. We want to limit the access of store directory to authenticated users only. First we can create a text file called user.txt that contain users’ names and their passwords:
For example users.txt may consist of the following:
Then we can add the following directive to httpd.conf
Now, only members of Group1 can access the store directory. This include John, and Robert only.
If you have apache installed already, then you can still run it as normal server beside your new secure server.
Secure Socket Layer with IIS:
IIS is a web server that ships with Microsoft Windows. You can install it during Windows 2000 installation or later as an Add-On Component. The following steps describe how to install IIS to handle HTTPS requests:
From the Administrative tools open the Internet Information Services:
Right click the Default Web Site ,select Properties, and click on the Directory Security tab: