6.5. Apache and SSL
Protecting your web folders with Basic Authentication by using either htpasswd or mod_auth_mysql increases security. Unfortunately, that added layer of security afforded by Basic Authentication can be eliminated by a serious hacker looking to break into your system. The problem: when you use Basic Authentication on a standard server, the username and password are actually transmitted unencrypted from the client to the server. A network-savvy hacker could be monitoring the transmission between your machine and the server, and sniff out the plain-text passwords as they zing by.
The solution: encrypt the communication between the client and the server. In Apache, this can be achieved by using Secure Sockets Layer (SSL). SSL in Apache comes in the form of mod_ssl, an Apache module that SSL-enables a website that Apache controls, allowing any communication to and from Apache to be encrypted using a wide range of encryption schemes.
To enable SSL in Apache, first check to see if SSL is included in your existing Apache binary or as a loadable module:
/path/to/httpd -l ls /path/to/apache/modules/
If you don't see mod_ssl.c in the first command output or mod_ssl.so in the listing of the Apache modules, you'll need to build Apache SSL functionality yourself. To statically enable SSL, add -enable-ssl to your Apache configure script when building from source:
./configure \ --enable-ssl \ # ...and any other configure settings you use
If you want to use the dynamic module ...
Get Professional LAMP: Linux®, Apache, MySQL®, and PHP5 Web Development now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
