rproxy1.6
HOWTO: Reverse Proxy using Apache with SSL and RSA SecurID®Authentication
By: Chris Sawall csawall@hotmail.com
Created: 20 May 2002
Last Updated: 19 April 2003
HOWTO: Reverse Proxy using Apache with SSL and RSA SecurID ® Authentication
Version 1.6
Overview
This document is free to distribute as long as it is left in it’s entirety. If changes or corrections must be made, or if you have ideas to enhance the install or security, please let me know so that I can keep this document as up to date as possible. It is important so that others are kept informed of changes as well. Changes/additions/comments can be sent to csawall@hotmail.com.
This is a ‘living document’, an up to date document can be found at http://tech.stlsawall.com/docs/rproxy.htm.
This document will describe how to install and setup a Reverse Proxy server using Apache. It will also detail how to include the use of SSL and RSA SecurID® Authentication. The server only has one (1) network card installed.
Note: These instructions were written with only the above listed applications in mind, it may not work exactly the same with different versions. Do NOT install any of the applications (Apache, OpenSSL) that come with the OS as they may be different versions as well as not being compiled correctly for this setup.
If you place this server on a secure DMZ, you will need to allow HTTPS (TCP 443) through your firewall to the reverse proxy. In addition, for the reverse proxy to work, you will need to allow HTTP (TCP 80) from your reverse proxy to the final destination.
Table of Contents
Creating your Own Self-signed Certificate
Setting up the Reverse Proxy to a single device
Setting up the Reverse Proxy to multiple servers
Adding RSA SecurID® Authentication to your Reverse Proxy
Applications and OS’s
Operating system used for purposes of this documentation:
Mandrake 8.1 (http://www.mandrake.com)
Operating systems tested:
Mandrake 8.2 (http://www.mandrake.com)
· Works with no changes to instructions
· Tested by Chris Sawall (csawall@hotmail.com) on 5/22/02
Solaris 8 (http://www.sun.com)
· Note additional software may be needed
· Specific instructions added to install without having to install OpenSSL
· Test by Chris Sawall (csawall@hotmail.com) on 6/30/02
RedHat 7.3 (http://www.redhat.com)
· OpenSSL is still installed by default, however, the openssl.cnf file is located in /usr/share/ssl. This is different than what is listed using Mandrake (/usr/lib/ssl) under the “Creating your Own Self-signed Certificate” section of this document.
· Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02
RedHat 8.0 (http://www.redhat.com)
· Tested by Chris Sawall (csawall@hotmail.com) on 2/28/03
Applications used for purposes of this documentation:
Apache 1.3.24 (http://www.apache.org)
mod_ssl 2.8.8-1.3.24 (http://www.modssl.org)
OpenSSL 0.9.6b (http://www.openssl.org)
RSA™ WebAgent 5.0 for Apache (http://www.rsasecurity.com)
Applications tested:
OpenSSL 0.9.6c (http://www.openssl.org)
· Works with no changes to instructions
· Tested by Chris Sawall (csawall@hotmail.com) on 5/22/02
OpenSSL 0.9.6d (http://www.openssl.org)
· Test by Chris Sawall (csawall@hotmail.com) on 6/30/02
Apache 1.3.26 (http://www.apache.org)
· Note that mod_ssl 2.8.9-1.3.26 must be used in conjunction with Apache 1.3.26. mod_ssl 2.8.8_1.3.24 will NOT work with Apache 1.3.26.
· All other instructions are the same as mentioned throughout this document.
· Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02
Apache 1.3.27
· Works with no changes to instructions
· Note that mod_ssl 2.8.12-1.3.27 must be used with Apache 1.3.27
· Tested by Chris Sawall (csawall@hotmail.com) on 2/28/03
Mod_SSL 2.8.9-1.3.26 (http://www.modssl.org)
· Works with no changes to instructions
· Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02
Mod_SSL 2.8.12-1.3.27
· Works with no changes to instructions
· Tested by Chris Sawall (csawall@hotmail.com) on 4/19/03
RSA WebAgent 5.1
· Works with Apache versions greater than 1.3.26, but code must be modified. See directions within my SANS documentation for changes. http://www.giac.org/practical/GSEC/Chris_Sawall_GSEC.pdf
· Tested by Chris Sawall (csawall@hotmail.com) on 4/19/03
Install Mandrake
I will assume that you can install the OS to a minimal, secure configuration. Since this box will be accessible by users on the Internet, you want to minimize the chance of any running exploits against your box. Do not install any unnecessary applications or services. Do not install any X applications such as KDE or Gnome.
You will need to leave the Portmap service running if you are going to use RSA SecurID® to authenticate inbound users from the Internet.
Download applications
Create a common directory and download all of the necessary applications.
mkdir /home/download
Apache 1.3.24 http://www.apache.org/dist/httpd/apache_1.3.24.tar.gz
mod_ssl 2.8.8 http://www.modssl.org/source/mod_ssl-2.8.8-1.3.24.tar.gz
OpenSSL 0.9.6b http://www.openssl.org/source/openssl-0.9.6b.tar.gz
RSA™ WebAgent 5.0 http://www.rsasecurity.com/go/apacheagent/index.html
For Solaris, you will probably need to get a compiler and a compression program. I downloaded and installed:
GCC 2.95.3 http://www.sunfreeware.com/
GZIP 1.3.3 http://www.sunfreeware.com/
Unzip and Untar applications
cd /home/download
gzip -d apache_1.3.24.tar.gz
gzip -d mod_ssl-2.8.8-1.3.24.tar.gz
gzip -d openssl-0.9.6b.tar.gz
tar xvf apache_1.3.24.tar
tar xvf mod_ssl-2.8.8-1.3.24.tar
tar xvf openssl-0.9.6b.tar
mkdir rsaweb
mv WebAgent.tar ./rsaweb/
cd rsaweb
tar xvf WebAgent.tar
cd /home/download
Additionally, for Solaris
unzip gzip-1.3.3-solaris8.Z
pkgadd -d gzip-1.3.3-solaris8
gzip -d gcc-2.95.3-sol8-sparc-local.qz
pkgadd -d gcc-2.95.3-sol8-sparc-local
Add PATH to /.profile
PATH=$PATH:/usr/local/bin:/usr/ccs/bin/:home/download/openssl-0.9.6b/apps
export PATH
re log-in
Installing Apache
Configure OpenSSL
cd /home/download/openssl-0.9.6b
./config
make
Configure mod_ssl
cd /home/download/mod_ssl-2.8.8-1.3.24
./configure --with-apache=../apache_1.3.24 \
--with-ssl=../openssl-0.9.6b \
--prefix=/usr/local/apache
Configure Apache
cd /home/download/apache_1.3.24
SSL_BASE=/home/download/openssl_0.9.6b ./configure \
--with-layout=Apache --prefix=/usr/local/apache \
--enable-module=ssl --enable-module=so \
--enable-module=proxy
make
make certificate
Follow the onscreen instructions on creating a test certificate. Hints:
· Choose RSA as the type.
· Spell out the STATE, for example, enter Missouri not MO
· Spell out the CITY, for example, enter Saint Louis not St. Louis
· Common name means some similar to www.yourserver.com
· Certificate length defaults to 365 days (1 year), you can enter whatever length you choose. For example, 7300 days is 20 years.
· Encrypt the key when asked.
· Set your pass phrase and do not forget it.
make install
Test your Apache install
/usr/local/apache/bin/apachectl startssl
You will have to enter your pass phrase when starting Apache. This is a security mechanism to ensure that the appropriate party is starting the SSL web server. We will remove this feature further down in the document under Creating your Own Self-signed Certificate.
You should be able to browse to https://www.yourserver.com/ with any Internet browser. You will be prompted to accept the certificate. This prompt also warns that the certificate was issued by a non-trusted third party. For testing purposes, this is fine. The web server should return the SSL/TLS test web page.
Setting up the Reverse Proxy to a single device
In order to configure Apache as a Reverse Proxy, you will have to edit the httpd.conf file. Be sure to create a backup of the file before editing.
cd /usr/local/apache/conf
cp httpd.conf httpd.orig
vi httpd.conf
Go to the “SSL Global Context” portion of the httpd.conf file, it should be after the virtual host setup. Within “SSL Global Context”, go to “SSL Virtual Host Context”, it should look similar to the following:
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName yourserver.yourdomain.com
ServerAdmin root@yourserver.yourdomain.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/yourserver.key
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
<--- SKIPPING SEVERAL COMMENTED LINES --->
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
<--- SKIPPING SEVERAL COMMENTED LINES --->
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
You will need to add the following lines in this area. It should look something like the following:
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName yourserver.yourdomain.com
ServerAdmin root@yourserver.yourdomain.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
ProxyPass / http://192.168.200.200/
ProxyPassReverse / http://192.168.200.200/
# This should be the address of the backend server that the Reverse Proxy
# will be sending traffic to.
# For more information about Reverse Proxying with Apache, please review the
# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
<--- SKIPPING SEVERAL COMMENTED LINES --->
</VirtualHost>
Save and quit from editing the httpd.conf file.
Restart your Apache server and then test out the reverse proxy.
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl
Remember that you will have to enter your pass phrase to start the SSL web server.
You should be able to browse to https://www.yourserver.com/ with any Internet browser. Only now, instead of getting the SSL/TLS test page, you should get the web page from your backend server. Your address bar should still read https://www.yourserver.com/, yet display the contents from the backend server.
Setting up the Reverse Proxy to multiple servers
In order to configure Apache as a Reverse Proxy, you will have to edit the httpd.conf file. Be sure to create a backup of the file before editing.
cd /usr/local/apache/conf
cp httpd.conf httpd.orig
vi httpd.conf
Go to the “SSL Global Context” portion of the httpd.conf file, it should be after the virtual host setup. It should look similar to the following:
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/usr/local/apache/logs/ssl_scache(512000)
#SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(512000)
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/usr/local/apache/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName yourserver.yourdomain.com
ServerAdmin root@yourserver.yourdomain.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
<--- SKIPPING SEVERAL COMMENTED LINES --->
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
<--- SKIPPING SEVERAL COMMENTED LINES --->
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
You will want to make the following modifications/additions to the configuration:
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
<--- SKIPPING SEVERAL LINES --->
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
NameVirtualHost w.x.y.z:443
#Where w.x.y.z is the IP address of the Apache server
# The following is a new virtual host added above the default virtual host.
# You will need to ensure that you have all of the correct information from the
# original virtual host. (The virtual host listed below this new virtual host)
# You will then need to modify the default virtual host,
# removing the _default_ and putting in an IP-based virtual host.
# For more information on using virtual hosts in Apache, see
# http://httpd.apache.org/docs/vhosts/index.html
<VirtualHost w.x.y.z:443>
ServerName newname.yourdomain.com
DocumentRoot "/usr/local/apache/htdocs"
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/yourserver.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/yourserver.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyPass / http://192.168.200.100/
ProxyPassReverse / http://192.168.200.100/
# This should be the address of the new backend server that the Reverse Proxy
# will be sending traffic to.
# For more information about Reverse Proxying with Apache, please review the
# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html
</VirtualHost>
#<VirtualHost _default_:443>
<VirtualHost w.x.y.z:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName yourserver.yourdomain.com
ServerAdmin root@yourserver.yourdomain.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
ProxyPass / http://192.168.200.200/
ProxyPassReverse / http://192.168.200.200/
# This should be the address of the backend server that the Reverse Proxy
# will be sending traffic to.
# For more information about Reverse Proxying with Apache, please review the
# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
<--- SKIPPING SEVERAL COMMENTED LINES --->
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
<--- SKIPPING SEVERAL COMMENTED LINES --->
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Save and quit from editing the httpd.conf file.
Restart your Apache server and then test out the reverse proxy.
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl
Remember that you will have to enter your pass phrase to start the SSL web server.
You should be able to browse to https://www.yourserver.com/ or to your new virtual server https://www.yournewserver.com/ with any Internet browser. Only now, instead of getting the SSL/TLS test page, you should get the web page from your corresponding backend server. Your address bar should still read https://www.yourserver.com/, yet display the contents from the backend server.
Creating your Own Self-signed Certificate
OpenSSL should be installed. Running the config as we did earlier only configured the software for use with the mod_ssl config. This documentation assumes that you are using OpenSSL 0.9.6b.
Mandrake 8.1 and 8.2 as well as RedHat 7.3 install OpenSSL by default. Running the following command should result in the displaying of the current version of OpenSSL.
openssl version
cd /usr/local/apache/conf
ls
You should see several folders: ssl.crl, ssl.crt, ssl.csr, ssl.key and ssl.prm. These are the folders where are SSL certificate information is stored. The following information can be found at http://www.apache-ssl.org/#FAQ.
Creating a new SSL request
openssl req -config /usr/lib/ssl/openssl.cnf -new \
-out yourserver.csr
For a Solaris install, the following command may be run without having to install OpenSSL
openssl req -config \
/opt/download/openssl-0.9.6b/apps/openssl.cnf -new \
-out yourserver.csr -rand \
/opt/download/openssl-0.9.6b/ms/.rnd
Note that the openssl.cnf file may be in a different location on your server. Follow the onscreen instructions on creating a new certificate. Do not forget the passphrase that you create and remember to use the full spelling for both the State and City.
openssl rsa -in privkey.pem -out yourserver.key
This removes the passphrase from the private key. You should take care in doing this and understand all of the risks involved. The key should only be readable by Apache and the system administrator.
Enter your passphrase from the previous step when asked.
openssl x509 -in yourserver.csr -out yourserver.crt -req \
-signkey yourserver.key -days 7300
This should create your certificate. It should come back and say that the signature is OK.
Move each new file to it’s respective folder:
mv /usr/local/apache/conf/yourserver.csr \ /usr/local/apache/conf/ssl.csr/yourserver.csr
mv /usr/local/apache/conf/yourserver.crt \ /usr/local/apache/conf/ssl.crt/yourserver.crt
chmod 400 /usr/local/apache/conf/yourserver.key
mv /usr/local/apache/conf/yourserver.key \ /usr/local/apache/conf/ssl.key/yourserver.key
rm -f /usr/local/apache/conf/privkey.pem
Edit the httpd.conf file to reflect the new certifcate and key. Remember to back up the httpd.conf, just in case.
Search the httpd.conf file for server.key and server.crt, replacing both with yourserver.key and yourserver.crt, respectively.
Restart Apache with SSL.
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl
Note that the server does not ask you to enter a passphrase to start the SSL web server.
Adding RSA SecurID® Authentication to your Reverse Proxy
This section assumes that you already have an RSA ACE/Server® in your environment. If the reverse proxy is placed outside the firewall or on a secured DMZ (preferred), you will need to allow access from the reverse proxy to your RSA ACE/Server® on UDP 5500.
KEY POINTS:
· The reverse proxy server must also be resolvable by DNS. The RSA™ web agent issues cookies to the client, which are based on a domain suffix. So your reverse proxy server must resolve to something like yourserver.yourdomain.com.
· The /etc/hosts file must have the proper address listed for your server. If it has any other IP address, such as 127.0.0.1 listed, RSA™ web agent will NOT work.
· It is important to note that the current version of the RSA™ web agent (version 5.0) only works with Apache 1.3.22 through 1.3.26.
Add the Reverse Proxy as an Agent Host to the RSA ACE/Server®.
· It will need to be defined as a Unix Server
Copy the sdconf.rec file from the RSA ACE/Server® to a floppy.
Copy the sdconf.rec file the floppy to the Reverse Proxy
mkdir /floppy
mount -t auto /dev/fd0 /floppy
mkdir /var/ace
chmod 774 /var/ace
cp /floppy/sdconf.rec /var/ace.
chmod 644 /var/ace/sdconf.rec
You will need to change permissions on certain files and directories in order for the RSA ACE/Server® to communicate properly with the Reverse Proxy.
You will need to stop Apache before continuing on with the installation of the web agent.
/usr/local/apache/bin/apachectl stop
cd /home/download/rsaweb
./install
During the install, you will need to:
· Agree to the EULA (after reading it, naturally)
· Accept the conditions (type Accept)
· Accept the default directory location of sdconf.rec ([/var/ace])
· Accept the default path to the Apache install ([/usr/local/apache])
· Accept the default path to the httpd.conf file (/usr/local/apache/conf/httpd.conf])
· Accept the default path to the httpd binary (/usr/local/apache/bin/httpd])
All files for the RSA™ web agent will install into /usr/local/apache/rsawebagent.
Setup will begin immediately, follow the onscreen instructions, all of the default parameters are acceptable, I would suggest the following:
· On the first setup screen, I change “Expiration time for idle cookie in minutes” from 15 to 45. I do this to help the end user and increase the time. This is especially useful when setting up a reverse proxy to work with Microsoft Outlook Web Access (OWA).
· On the second setup screen, I change “Use separate Page for username and PASSCODE” from enable to disable.
Note: RSA™ recommends using separate pages. This is discussed in the documentation that comes with the web agent install. I feel that since I’m using SSL to encrypt the tunnel between the end user and the reverse proxy, I don’t need the extra security of using separate pages for username and PASSCODE. If you are not using SSL with your Reverse Proxy, I would suggest following RSA’s recommendation of using separate pages.
Test Authentication
You will need to test the authentication to verify that the Reverse Proxy is communicating properly with the RSA ACE/Server®.
cd /usr/local/apache/rsawebagent
./acetest
You should get the following:
· Enter USERNAME: {enter your RSA SecurID® username}
· Enter PASSCODE: {enter your PIN and TOKENCODE}
· If successful, it should return “PASSCODE accepted”
Doing this test will create two files, “securid” and a “sdstatus.{x}”, in the /var/ace directory. The “securid” file is the node verification file. By default, it does not have the correct permissions for subsequent authentication tests. You must change the permissions on this file.
chmod 440 /var/ace/securid
Run a test authentication again to verify that it still works.
./acetest
If the test is successful and there are no node verification failures on the RSA ACE/Server®, you will now need to test to see if authentication works on Apache.
/usr/local/apache/bin/apachectl startssl
Remember that you will have to enter your pass phrase to start the SSL web server.
You may get the following error when starting the web server, after installing the RSA™ web agent:
“[DATE] [warn] module mod_rsawebagent.c is already added, skipping”
Everything is fine and will work properly. To get rid of this error, you must edit the RSA™ web agent configuration file.
vi /usr/local/apache/rsawebagent/rsawebagent.conf
The following is the default configuration:
#
# RSA Web Agent configuration information
# This file is included by the current httpd.conf file
#
# Load and add the web agent module in the configuration
LoadModule rsawebagent_module /usr/local/apache/rsawebagent/mod_rsawebagent.so
AddModule mod_rsawebagent.c
#
# RSA Web Agent installation directory
#
<IfModule mod_rsawebagent.c>
RSAWebAgentInstallPath /usr/local/apache/rsawebagent
VAR_ACEPath /var/ace
</IfModule>
Make the following change by commenting out the appropriate line:
#
# RSA Web Agent configuration information
# This file is included by the current httpd.conf file
#
# Load and add the web agent module in the configuration
LoadModule rsawebagent_module /usr/local/apache/rsawebagent/mod_rsawebagent.so
#AddModule mod_rsawebagent.c
#
# RSA Web Agent installation directory
#
<IfModule mod_rsawebagent.c>
RSAWebAgentInstallPath /usr/local/apache/rsawebagent
VAR_ACEPath /var/ace
</IfModule>
Restart Apache and everything should be fine.
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl
Remember that you will have to enter your pass phrase to start the SSL web server.
Browse to https://www.yourserver.com/ with an Internet browser. You will be prompted to accept the certificate, do so. When the web site is displayed, it should show a new web page for the RSA SecurID® authentication.
Enter your username and PASSCODE in the appropriate fields and click submit. It should come back and say that authentication was successful and then present the content from your backend server.
UPDATES
05/22/02
· Added tests for Mandrake 8.1 and OpenSSL 0.9.6c
O5/22/02
· Added links for up to date documentation.
05/29/02
· Changed info for adding ProxyPass and ProxyPassReverse directives
· Added info on setting up a Reverse Proxy to multiple servers
· Added RSA trademark information
06/20/02
· Added tests for RedHat 7.3, Apache 1.3.26 and mod_ssl 2.8.9_1.3.26
· Add KEY POINTS under the RSA install section
12/03/02
· Added tests for Solaris 8, OpenSSL 0.9.6d
· Added a few specific instructions for Solaris install
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an “as is” condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.