Re: apache

From: Marc Rogers (marcr@closed-networks.com)
Date: 04/25/02 

Date: Thu, 25 Apr 2002 20:18:19 +0100
From: Marc Rogers <marcr@closed-networks.com>
To: ANdrei <andrei@abc.ro>

On Thu, Apr 25, 2002 at 09:58:47PM +0300, ANdrei wrote:
> let me give you a scenario that i want solved :)
>
> i have a webserver that needs to run apache with SSL (httpd -SSL, if i
> remember correctly), but the server is not considered to be secure
> enough to have an unencrypted key on it's hard drives... so the key is
> crypted, but then, again, apache is unable to start with SSL enabled if
> somebody doesn't enter the passphrase by hand... i'm talking about
> apache with mod-ssl, it's one of many big servers, and any minute of it
> not being up is a big pain in the ass, so starting apache on every
> server every time by entering the passphrase by hand is not what i am
> looking for... starting it from a script where the passphrase is plain
> text is also considered to be insecure for what i need....

Unfortunately you are either going to have to get a human to do it, or
commit the passphrase to a program or script. You can obfuscate the
passphrase as much as you like but one way or other the key to the
passphrase ends up being stored in a program.

The solution that i opted for was to create a server on a secure network
that acted as the key manager for the secure webservers. The system was
kept off the normal network, and only had ssh access to the machines on
the private network. No services ran on the machine appart from an sshd
accessable through a gateway.
 
This machine periodically checked to see if the secure servers were running
and if not, logged in via ssh and restarted them with the passphrase.

Not wonderfully elegant, but necessary and secure enough for its purpose.

>
> hope smbd had this problem already :)
>

Im sure many people have had this problem. Better solutions anyone?
 
> ANdrei
>

Marc 

-- 
Marc Rogers
Vizzavi UK
www.itv.com/popidol
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: apache
    ... > i have a webserver that needs to run apache with SSL (httpd -SSL, ... > somebody doesn't enter the passphrase by hand... ... > server every time by entering the passphrase by hand is not what i am ...
    (FreeBSD-Security)
  • Re: kick off a post boot job
    ... But you're not going to truly resolve the actual problem of needing human input for a passphrase by having some other machine do something automatically. ... string using scp or some other secure transport and then using the decoded result to start up apache. ... I suppose you could use SSH from some remote trusted server to do an "apachectl startssl" and then feed it the passphrase, but then you've ended up putting the passphrase in cleartext on the trusted host, and you need to permit the trusted host to login to the webserver without needing human intervention via SSH keypairs, so you're just moving the problem from one place to another. ... most people leave the x.509 certs unsecured with a passphrase so that the webserver can be setup to start itself upon a reboot without manual intervention. ...
    (freebsd-questions)
  • Re: MySQL Security risk?
    ... >I'd like to install MySQL and PHP onto my server that's hosted in a POP on ... for a log time does to make it more secure than any other DB. ... I take it you will be dishing out HTML pages via Apache, ...
    (comp.unix.solaris)
  • Re: Web hosting security
    ... site is hosted on Windows or Linux servers? ... From a web host point of view, consider the server you are going to use. ... Apache runs under both, and is quite secure when properly set up. ...
    (alt.computer.security)
  • Re: WebServer?
    ... >Apache vs IIS 5 on Win2k server. ... >still that much better than an IIS 5 box? ... Well configured IIS is 'similar' secure like Apache. ... web server will se secure as its most weak part. ...
    (Focus-Microsoft)