Apache Server for Windows Little Black Book:Keeping Your Apache Site Secure
function GetCookie (name) { var arg = name + "="; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) { var end = document.cookie.indexOf (";", j); if (end == -1) end = document.cookie.length; return unescape(document.cookie.substring(j, end)); } i = document.cookie.indexOf(" ", i) + 1; if (i == 0) break; } return null; } var m1=''; var gifstr=GetCookie("UsrType"); if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; } document.write(m1+m2+m3);            Keyword Title Author ISBN Publisher Imprint Brief Full  Advanced      Search  Search Tips Please Select ----------- Components Content Mgt Certification Databases Enterprise Mgt Fun/Games Groupware Hardware IBM Redbooks Intranet Dev Middleware Multimedia Networks OS Prod Apps Programming Security UI Web Services Webmaster Y2K ----------- New Titles ----------- Free Archive To access the contents, click the chapter and section titles. Apache Server for Windows Little Black Book (Publisher: The Coriolis Group) Author(s): Greg Holden with Matthew Keller ISBN: 1576103919 Publication Date: 01/01/99 function isIE4() { return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') ); } function bookMarkit() { var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0"; parent.location.href=url; //var win = window.open(url,"myitk"); //if(!isIE4()) // win.focus(); } Search this book:  















Previous
Table of Contents
Next




Chapter 12Keeping Your Apache Site Secure


If you need an immediate solution to:
Setting Up Read-Only Security
Disabling Default Access
Preventing User Overrides
Restricting Robots
Running HTTP And HTTPS On The Same Machine
Installing SSLeay
Testing SSLeay
Using Apache-SSL
Using mod_ssl
Installing Stronghold NT
Obtaining A Site Certificate
Generating Your Own Test Certificate
Applying To A Certification Authority
Configuring Your Secure Site

In Brief
Web-Site Security And Apache
The use of the authentication strategies described in Chapter 9 is only one way to restrict access to “sensitive” parts of your Web site. Basic authentication is adequate for most purposes, but it’s not considered a high-level security strategy because it involves passwords traveling along the network in UUEncoded format. Although it’s unlikely that a hacker could intercept the precise IP packet that contains your password, it’s not impossible.

This chapter examines security methods such as built-in Windows NT features, Secure Sockets Layer encryption, and certificates for use with Apache.
How SSL Works
Secure Sockets Layer (SSL) is one of the most popular security methods in use today on the Internet, and it’s one that is making secure electronic commerce a feasible option for sites that use Apache or other server software. SSL is implemented at an intermediate stage (or layer) between TCP/IP and HTTP.

SSL encrypts data using a technology called public key encryption. Two keys, a public key and a private key, are used to encode and then decode information. The public key uses an algorithm to encode data and is widely distributed. Information encoded with a public key can only be decoded with a private key. The private key is never distributed; it is always kept secret on the server.
When the client connects to a site that uses SSL, the server sends its public key, along with other information that is included, as part of a certificate. A certificate is an electronic document that is issued by a certification authority (CA). The certificate establishes the identity of an individual or company on the Internet. Because the certificate includes the site’s public key, the client can use it to decode the data sent by the server.
RSA Licensing
RSA Inc. is a company that licenses its public key encryption system through commercial products such as electronic files—called digital IDs or certificates—that are issued either to individuals who want to encrypt their own email messages or to companies that want to serve secure Web sites. The system encodes information by generating complex codes, some of which remain secret and known only to the Web-site owner (private keys) and some that are given out freely to Web clients (public keys).
Because of U.S. export restrictions on encryption, if you use an SSL server such as Stronghold NT (discussed in detail in this chapter’s Immediate Solutions) and you live inside the United States or Canada, you must use the server software in the United States or Canada, and it must be used by Canadian or United States citizens or permanent residents only. The U.S. government prohibits transmitting the server software to anyone who is not a citizen or permanent resident of the United States or Canada.
SSLeay
The current implementation of SSL uses encryption algorithms that are patented by RSA. However, a free version of the SSL library called SSLeay is also available. SSLeay was created by Eric A. Young and Tim Hudson, and has its own Web site at www.ssleay.org. You can download the SSLeay library files so that SSL technology can be used by secure versions of Apache (such as Apache-SSL, which is described in the following section).
SSL-Compliant Versions Of Apache
SSL is not available in the freely distributed version of Apache Server because the current implementation of SSL uses algorithms that are patented by RSA Inc. In addition, Apache is used around the world, and the U.S. imposes strict regulations on exporting encryption (only 40-bit encryption can be legally exported).

As alternatives, you can choose between several versions of Apache that make use of SSL:

•  Apache-SSL and SSLeay—Apache-SSL was created by Ben Laurie, one of the Apache Group members. You install the SSLeay library on your computer and then download a series of patches called Apache-SSL, which you then add to Apache and compile into the server.
•  The mod_ssl module—This module was created by Ralf S. Engelschall, one of the Apache Group members and creator of the mod_rewrite module. This is a free implementation of SSLeay. It uses 128-bit encryption and can be distributed worldwide because it was developed in Europe and is only distributed from Europe. It is available for Win32 users, who can compile the module into the Apache source code.


TIP:  You can find out more about mod_ssl at www.engelschall.com/sw/mod_ssl/news/list.html.


•  Stronghold NT—This is a binary application sold by C2Net. Stronghold NT is relatively easy to configure because it does not involve compiling Apache or using patches.

In addition, you can make use of a module called Raven that has been developed by Covalent Technologies (raven.covalent.net). A version of Raven was not yet available for Windows as this book was written.
How Do Certificates Work?
As stated earlier, a certificate is an electronic document that uses encryption and other methods to establish the identity of an individual or organization. Although certificates may seem complex, they basically involve one organization (the certification authority, which is the company that issues the certificate) saying, “We certify that the owner of this certificate is who he or she claims to be.”

The Private Key
The identify of the certificate owner is established by means of a private key, a digital file that is generated by the owner and remains secret on the owner’s computer; the private key is never shared with the certification authority or anyone. In a version of Apache that uses SSL security, the private key is generated by secure server software that you either purchase (if you’re using Stronghold NT or Raven) or download (if you’re using Apache-SSL). The private key is generated using algorithms that are patented by RSA and included with the secure version of Apache.




Previous
Table of Contents
Next






Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.