Apache with ssl support should be the basic platform for
providing web services...
There are several different implementations to choose from, some commercial (stronghold) and some open source (apache+ssl, apache+modssl). We've chosen to work with apache+modssl.
You can use the FreeBSD ports copy of apache, or build your own. Much of how you install and configure Apache will depend on how the server will be used.
Will the server host lots of user websites, or just a few web-sites?
Is the machine to be a dedicated webserver
Is the webserver an interface to other applications
We're going to build apache with one optional component
Optionally You can also get
a Shared Memory Library in APACHE/EAPI
Get them from
and drop them in
(substituting $HOME with your home directory)
Take a look at the
$ sh config no-threads -fPIC
$ make test
$ cd ..
NOTE: OpenSSL understands a lot more options on the `config' command line. For instance you can add some command line options (like `-DSSL_FORBID_ENULL' for not allowing Null encryptions, or adding `-DSSL_ALLOW_ADH' for allowing Anonymous Diffie-Hellman ciphers, etc) to adjust the OpenSSL internals (see OpenSSL's top-level Makefile for details). NOTE: When your system already has OpenSSL installed (for instance some Linux distributions ship with OpenSSL installed out-of-the-box) in system locations you can ignore the OpenSSL steps above, too. Then use `SSL_BASE=SYSTEM' instead of `SSL_BASE=../openssl-0.9.x' and mod_ssl will search for OpenSSL's binary, header and library files in $PATH and system locations. NOTE: The -fPIC option builds OpenSSL with Position Independent Code (PIC) which is only important when building mod_ssl as a Dynamic Shared Object (DSO). NOTE: The optional `no-threads' keyword above is to increase performance inside OpenSSL, because Apache 1.3 does not use threads anyway. However, OpenSSL, if built without `no-threads', by default builds with multi-threading support. This multi-threading support involves using locking around a lot of internal object manipulation (esp. reference counts). The fact that it is not possible in Apache 1.3 to have threads racing on any kind of object internal to OpenSSL means that any overhead (memory and/or time) relating to these locking mechanisms is wasted by default.
Optionally you now can build the MM Shared Memory library when you want shared memory support in Apache/EAPI. For instance this allows mod_ssl to use a high-performance RAM-based session cache instead of a disk-based one.
$ tar xvzf mm-1.3.0.tar.gz
$ cd mm-1.3.0
$ cd ..
NOTE: When your system already has MM installed in system locations you can ignore the steps above and then use `EAPI_MM=SYSTEM' instead of `EAPI_MM=../mm-1.1.x' below. NOTE: Do not forget the --disable-shared option above. Else you've to establish an explicit LD_LIBRARY_PATH which includes the /path/to/mm-1.1.x/.libs/ directory or the compilation of Apache will fail because the shared library cannot be found.
Now apply the mod_ssl source extension and source patches to the Apache source tree, configure the Apache sources and build Apache with mod_ssl and OpenSSL.
$ tar xvzf
$ tar xvzf
$ cd mod_ssl-2.8.17-1.3.31
$ cd ../apache_1.3.31
$ make certificate
follow the following
selections (press enter for the defaults which are shown like [this]
if they match what we want):
Select RSA Enter your country code Enter State/county or province Enter a locality Enter your organization Enter the Unit/Group Common name Email address Enter the length of time the certificate should be valid (days) Select ssl3 Enter a country code Enter a state Enter a Locality Enter an organization Enter your common name Enter your mail address Enter the length of time the certificate should be valid (days) Select certficate version 3 Say N to leave the private key unencrypted
$ make install
$ cd ..
NOTE: The --enable-shared=ssl option enables the building of mod_ssl as a DSO `libssl.so'. Read the INSTALL and htdocs/manual/dso.html documents in the Apache source tree for more information about DSO support in Apache. It is advisable for ISPs and package maintainers to use the DSO facility for maximum flexibility with mod_ssl. But notice that DSO is not supported by Apache on all platforms.
and then firing up your browser and going to
using ssl means you're running two virtual servers
one on port
one on port
You have more directories to keep track of because of your keys
the key that was generated is valid for only one hostname
So, a key per virtual host is a good idea if you're doing virtual hosts with ssl servers as well
Unsigned keys are fine for things like running your webmail services through ssl, for ecommerce type applications having a key signed by a reliable CA (certificate authority) is considered normal.
CA's include Verisign (USA), Thawte (South Africa) and others
Apache HTTP server
Last modified: Tue May 18 12:18:01 GMT 2004