Red Hat NETWORK PROXY SERVER 3.7 - Manual de usuario

Red Hat Secure Web ServerGetting Started GuideRed Hat Software, Inc.Research Triangle Park, North Carolina

xCONTENTS

90 INDEXserver ... . ... ... 15SSL...25virtual hosts ... ... 36copyright ... ... ... iicreating certific

INDEX 91PHP/FIconfiguration ... .. 81PHP/FI, Apache ... ... 5PHP3... ... .5port numbers ... . ... 42purchasi

Installing Your ApacheServerAfter you have readthis chapter and followed the instructions it contains,your web server will be installed and configured.

2 Installing Your Apache Server(In other words, if your system only has the script/etc/rc.d/init.d/httpd, then execute that script with the stop pa-ra

1.2 Mounting the CD-ROM 31.2 Mounting the CD-ROMTo beginthe installationprocess,you must first mountthe CD-ROM.Placethe secure web server CD in your CD

4 Installing Your Apache Serverthe program. Remember, however, that these web pages may include in-formation about a more recent version of the partic

1.3 Optional Packages 5links the Perl runtime library into the server and provides an object-oriented Perl interface for the Apache server’s C languag

6 Installing Your Apache Serverto section 4.3 on page 81 for more information on post-installationconfiguration of mod php. You should also try the PHP

1.3 Optional Packages 71.3.6 SourceConfiguration File: N/ADocumentation: N/ADescription: The source package (secureweb-source) contains theApache sourc

8 Installing Your Apache Serveror the disk caching version (described below). See section 4.5 onpage 83 formore information onconfiguring Squid after i

1.4 Running the Installer 91.3.10 Netscape NavigatorConfiguration File: N/ADocumentation: http://help.netscape.com/Description: Netscape Navigator is a

Copyrightc1998 Red Hat Software, Inc.Red Hat is a registered trademark and the Red Hat Shadow Man logo,RPM, the RPM logo, and Glint are trademarks of

10 Installing Your Apache ServerYou’ll see a window like the one shown in figure 1.1, thanking you forpurchasing Red Hat Secure Web Server 2.0. Press t

1.4 Running the Installer 11Figure 1.2: Optional Packages to Installmemory or on disk. If your server is equipped with plenty ofmemory (i.e., 64MB or

12 Installing Your Apache ServerFigure 1.3: Analog Package Optionsspace on your hard disk, select No, and re-run the installation se-lecting fewer opt

1.4 Running the Installer 13Figure 1.4: Continue with InstallationFigure 1.5: Installation Status Bar

14 Installing Your Apache ServerFigure 1.6: Installation Complete

Configuring Your SecureWeb ServerYou can’t start your secureweb serverright now, because you haven’t cre-ated your key or obtained a digital certificate

16 Configuring Your Secure Web Servertions ofall ofApache’s configuration options. For yourconvenience, shortdescriptions of theconfiguration directivesu

2.2 httpd.conf 17If you do make a mistake, and your secure web server doesn’t work cor-rectly, the first place to look is in the configuration file you j

18 Configuring Your Secure Web Server2.2.1 Important Directives in httpd.confLoadModule LoadModule is used to load in Dynamic Shared Object(DSO) module

2.2 httpd.conf 19Please Note:Unless you know exactly what you’re doing, don’t setthe User to root,which will create some big securityholes for yoursec

ContentsIntroduction vAcknowledgements ix1 Installing Your Apache Server 11.1 OS and SoftwareVersions . . . . . . ... 21.2 Mounting the CD-

20 Configuring Your Secure Web ServerNote that the default TransferLog (or access log) for your secureweb server is /var/log/httpd/access log-ssl.2.2.2

2.2 httpd.conf 21to listen to port 80 fornon-secure web communications and port 443for secure web communications.Listen can also be used to specify pa

22 Configuring Your Secure Web Serveryou might want to use www.yourserver.com when your server’sreal name is actually blah.yourserver.com. Note that th

2.2 httpd.conf 23KeepAliveTimeout KeepAliveTimeout setsthenumberofsecondsyourserver will wait for a subsequent request, after a request has beenserved

24 Configuring Your Secure Web Serveruncomment the Cache directives to enable proxy caching for yourproxy server. Apache proxy serving is enabled by th

2.2 httpd.conf 25(a separate server which runs alongside your default Apache webserver). Most configuration directives can be used within virtualhost t

26 Configuring Your Secure Web ServerSSLDisable directive is used to disable SSL for your non-secureweb server.SSLEnable SSLEnable enablestheSSLprotoco

2.3 srm.conf 272.3 srm.confThe srm.conf file defines the server’s name space, how requests are ser-viced and how request results areformatted.2.3.1 Impo

28 Configuring Your Secure Web ServerDirectoryIndex The DirectoryIndex is the defaultpage servedby theserver when a user requests an index of a directo

2.3 srm.conf 29AddIconByEncoding Thisdirectivenamesiconswhich willbedisplayedby files with mime-encoding, in server generated directory listings.Forexa

iv CONTENTS2.8 Accessing Your Server ... 423 Securing Your Server 433.1 How Server Security Works . . . . ... 443.2 Dec

30 Configuring Your Secure Web ServerIndexIgnore IndexIgnore lists file extensions, partial filenames, wild-card expressions or full filenames. The web se

2.3 srm.conf 31is using the AddType directive to make your web server recognizefiles with PHP extensions (.php3 .phps .phtml) as PHP mimetypes.AddHandl

32 Configuring Your Secure Web Serverdisable keepalives and HTTP header flushes for browsers that areknown to have problems with those actions.2.4 acces

2.4 access.conf 33Your/home/httpd/cgi-bin directoryhasOptions ExecCGI set,meaning thatexecution of CGI scriptsis permitted within that direc-tory.Allo

34 Configuring Your Secure Web Server2.5 Adding Modules to Your ServerSince Apache 1.3 supports Dynamic Shared Objects (DSOs), you can eas-ily load Apa

2.5 Adding Modules to Your Server 35To make your secure web serverload in anunloaded module, firstuncom-ment the corresponding LoadModule line. For exa

36 Configuring Your Secure Web Serveroutside the Apache source tree, without needing to tweak any compilerand/or linkerflags. If you needmore informatio

2.6 Using Virtual Hosts 37machine. If you’re interested in using virtual hosts for different IP ad-dressesor differenthost names onyour machine, morei

38 Configuring Your Secure Web Serverrequests. By default, the DocumentRoot is set to /home/httpd/html.To change the DocumentRoot so that it is no long

2.6 Using Virtual Hosts 39won’t have to do any manipulation of the virtual hosts directives inhttpd.conf. However,if you would like to usethe virtual

IntroductionThe Red Hat Secure Web Server Getting Started Guide is intended to get youstartedrunningyourRedHatSecureWeb Server. Itisnot meantto becom-

40 Configuring Your Secure Web ServerThis line would create a virtual host that listens on port 12331. Substitutethe port number you want to use for 12

2.7 Starting and Stopping Your Server 41You may also use the command restart, which is a short way of stop-ping and then starting yourserver. restart

42 Configuring Your Secure Web Server2.8 Accessing Your ServerThe standard port for secure web communications is port 443. The stan-dard port for non-s

Securing Your ServerSince you purchased this product,you areprobably interestedin conduct-ing electronic commerce using yourweb site. To makeyour cust

44 Securing Your ServerWhen you use a signed certificate, you guarantee the identity of the orga-nization running the server. For example, if thecertifi

3.1 How Server Security Works 45privacy)andthe mutualauthentication betweenbrowsersandyour secureweb server. The CA-approved digital certificate provid

46 Securing Your Serveryouclaimto be, theywill sendyouadigital certificate. You then installthiscertificate on your web server, and begin handling secur

3.3 Proving Your Organization’s Identity to a CA 473.3.1 Proving Your Organization’s Identity to VeriSignTheeasiestway to proveto VeriSign that youror

48 Securing Your Server3.3.2 Proving Your Organization’s Identity to ThawteThawte requires some form of all three of the following to prove your or-ga

3.4 Creating Your Key and Certificate Request 49at http://www.thawte.com for more information or contact Thawte [email protected] to ask them w

vi CONTENTSmod ssl provides complete documentationmod ssl has fixed many different bugs that existed in Apache-SSLOther new featuresinclude: the compil

50 Securing Your Serverto createthe certificate request. You need the certificaterequest in order toapply for a certificate from a CA. Finally, you need

3.4 Creating Your Key and Certificate Request 51Please Note:If you don’t want to have to type in a password every timeyou start your web server, you wi

52 Securing Your ServerYour system will display the following output and will ask you for yourpassword (if you disabled the password option, it won’t

3.4 Creating Your Key and Certificate Request 53Since the Red HatSecureWeb Serveris restrictedfor sale to only the US orCanada, your input will be eith

54 Securing Your ServerThe next section covers how to get test certificates from both VeriSign andThawte, as well as how to create a test certificate yo

3.5 Getting a Test Certificate 55If you enter ’.’, the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name []:North

56 Securing Your Servercontents of your httpsd.csr file (including the BEGIN CERTIFI-CATE REQUEST line and the END CERTIFICATE REQUEST line)and paste t

3.5 Getting a Test Certificate 577. Scroll down to the bottom of the page, which will contain a form foryou tofill out. You need to fill inthe blankswith

58 Securing Your Server4. The returned webpage will include your test certificate (an exampleis shown as figure 3.5 on page 67). Cut and paste the test

3.7 Buying a Certificate 593.7 Buying a CertificateNow you’re ready to purchase a certificate. Once you’ve received the cer-tificate, simply follow the st

CONTENTS viiIf you include the manual’s identifier, we’ll know exactly which versionof this manual you have. If you have a suggestion, try to be as spe

60 Securing Your Serverbut there areother ways if youdon’t have a D-U-N-S numberor youdon’t want to use one. Refer to 3.3.1on page 47 or to the instru

3.7 Buying a Certificate 6111. Fill in the “Enter Billing Contact Information” with information forthe person who will be contacted for billing purpose

62 Securing Your Server3. The next step they describeis togenerate akey anda certificatesign-ing request (CSR). If you followed the instructions contai

3.7 Buying a Certificate 6315. The next page,alsoentitled“ServerCertEnrollment,”is thelastpageof their enrollment form and is shown as figure 3.12 on pa

64 Securing Your ServerFigure 3.2: Paste in Your httpsd.csr

3.7 Buying a Certificate 65Figure 3.3: Application

66 Securing Your ServerFigure 3.4: Thawte’s Test Certificate Page

3.7 Buying a Certificate 67Figure 3.5: Thawte’s Test Certificate Page

68 Securing Your ServerFigure 3.6: The Red Hat Secure Web Server Default Home Page

3.7 Buying a Certificate 69Figure 3.7: Confirming your Domain Name for VeriSign

viii CONTENTS

70 Securing Your ServerFigure 3.8: Submitting a CSR to VeriSign

3.7 Buying a Certificate 71Figure 3.9: Completing the VeriSign Application

72 Securing Your ServerFigure 3.10: Thawte Enrollment Form

3.7 Buying a Certificate 73Figure 3.11: Thawte Application

74 Securing Your ServerFigure 3.12: Thawte Application

3.7 Buying a Certificate 75Figure 3.13: Thawte Submission Complete

76 Securing Your Server

Configuring OptionalPackages4.1 Configuring AnalogAnalog is a complex program. Please refer to the Analog web page athttp://http://www.statslab.cam.ac.u

78 Configuring Optional PackagesChange the LOGFILE and HOSTNAME lines to read as follows:LOGFILE /var/log/httpd/access_log-sslHOSTNAME "Your Compa

4.2 Configuring mod perl 79Afterthe mainLoadModule section, there’sa listof three additional mod-ules. Uncomment the perl module line so that instead o

AcknowledgementsRed Hat Software would like to acknowledge the following contributionsto this product:This product includes softwaredeveloped by the A

80 Configuring Optional PackagesThe lines should read:Alias /perl/ /home/httpd/perl/<Location /perl>SetHandler perl-scriptPerlHandler Apache::Reg

4.3 Configuring mod php 814.3 Configuring mod phpLikemod perl,mod phpis avery largepackage. PHP isa completescript-ing language,with various capabilitie

82 Configuring Optional PackagesIf you installed the PHP3 package, uncomment the mod php3.c line sothat instead of:#AddModule mod_php3.cIt reads:AddMod

4.4 Configuring Apache-ASP 83After you’ve uncommented the appropriate lines, save the srm.conf fileand then restart your server as described in section

84 Configuring Optional PackagesYou can have Squid start and stop automatically as your machine bootsandshuts downby addingsymlinks to yoursystem’s /et

4.5 Configuring Squid 854. Find the following section:http_access allow allReplace it with:http_access allow allowed_hostshttp_access deny all5. Find t

86 Configuring Optional Packages4.6 Configuring ht://DigFor complete documentation on configuring and running ht://Dig, pointtothefile/usr/doc/htdig-3.0.8

4.6 Configuring ht://Dig 87/var/lib/htdig/footer.html Thispagewillbedisplayedatthe bottomof any search results./var/lib/htdig/nomatch.html This page wi

88 Configuring Optional Packages

IndexAaccess.conf file ... ... 32acknowledgements .... ixanalog..... . ...4configuration ... .. 77Apacheconfigurat