Security is essential when handling personal details that if leaked could be used for identity fraud, or worse: theft. As a developer it is your job to stop this from happening, your customers details should not be at risk. Having a secure connection between the client and the server helps with this, and can be done using SSL.
There are many reasons for having a secure server, and you may find you need one for testing purposes or even on a production level. How you go about doing this depends greatly upon the operating system that you intend on setting it up. By far the simplest is Debian - installing Apache SSL on this is as simple as typing:
apt-get install apache-ssl mod-sslYou may however, prefer to use Apache 2 which would mean replacing apache-ssl with apache2-ssl. You will also require OpenSSL, this as usual can be downloaded using apt-get:
apt-get install opensslIf for some reason your webserver is on Apple's Mac OS X, then you need to install Fink before you can use the above apt-get commands. Typically the only time OS X is set up as a webserver is when it's being used as a development environment. Microsoft Windows, as expected is a little different. To install it you need to download the binary, but it is not available from the OpenSSL website, instead you can download it for Win32 based machines from Shining Light Productions. If you prefer to compile it yourself then download the source from the OpenSSL site or from "Hunter". When you have done downloading it extract it to a temporary folder, and copy the dll files from bin\ to your windows\system32 folder. Now copy the rest of the files into C:\OpenSSL, or wherever you want it to live. You will then need to download and copy into the folder the OpenSSL configuration file from Tud-at. People using Unix or Mac OS X need not do this as their installs using apt-get will already have this.
The next step doesn't change much no matter what server you're using, and this is the part where we use OpenSSL to generate the certificate you need for running Apache-SSL or Apache2-SSL. If you're setting up a production-level server then you should obtain a signed certificate from an authorised signer; otherwise you can create a self-signed certificate.
openssl req -new -x509 -key selfca.key -out selfca.crt -days 365This example of generating a certificate is similar to how you would send a request for one to be signed, but is creating a self-signed one instead. This example comes from the OpenSSL documentation, and is built up saying what key to use, what the output filename for the certificate should be, and what the expiry on the certificate should be. At this point the command should not work, you will need to create an RSA or DSA key. In this example I'll create an RSA key:
openssl genrsa -des3 -out selfca.key 2048Once you've answered the questions it gives (requires you to provide a random passphrase you want to use) you will then be ready to use the openssl req command mentioned previously. Most steps during this can be skipped as they relate to information on the location, etc. of the business and is not strictly necessary when generating a self-signed certificate. Now we're ready to create the X.509 certificate that will be used:
openssl x509 -in selfca.crt -text -nooutBy this point you will now have an X.509 certificate that will expire in 1 year - you can do it for longer if you wish, but I chose to do it just for a year. The next step is to move the key and the certificate into their final folders where they will be used by Apache-ssl (or Apache2-ssl) and should have their permissions changed for optimal protection.
mv selfca.cert <apache-conf-folder>/ssl.crt/
mv selfca.key <apache-conf-folder>/ssl.key/
chmod -R 0400 <apache-conf-folder>/ssl.cert/
chmod -R 0400 <apache-conf-folder>/ssl.key/Finally everything is in place ready to configure Apache itself, so now you can go to your httpd.conf for your SSL version of Apache and make sure that the following lines are either modified or added:
DocumentRoot /home/user/sites/secure_html/
<Directory "/home/user/sites/secure_html">
</Directory>
SSLCertificateFile /path/to/certs/ssl.key/selfca.cert
SSLCertificateKeyFile /path/to/certs/ssl.cert/selfca.keyThe value for DocumentRoot and Directory should point at the folder where your secure files are served from and should also be the same. Once you have done save it and the restart apache-ssl using:
apache-sslctl gracefulThat's it, you've done it - now you can access your secure server via https://localhost/.
