wiki:ndg_security/Installation/Apache2

/ ndg_security / Installation / Apache2

Apache2 mod_wsgi and SSL Configuration for ndg_security

This page describes the configuration settings for NDG Security with Apache2. It is not possible to give complete instructions for all target platforms. This guide focuses on configuration from the Apache package on SuSE Linux and an alternative build from source. It is recommended to use the standard Apache2 package where possible. In some cases, however, you may need to build Apache from the source. For example, note this issue with the SUSE 10.2 Apache build:

 http://groups.google.com/group/modwsgi/browse_thread/thread/815fd4da49951e72

  1. Configure from Package (See here for example set-up with SUSE package) / build from source
  2. Get and build mod_wsgi
  3. Configure SSL and Virtual host(s)

mod_wsgi Build and Installation

mod_wsgi is the recommended means for running NDG Security middleware and applications.

Use the standard package with the operating system where possible but in some circumstances it may be necessary build from source. For example the current library is built against Python 2.5 but you need Python 2.6. To check:

$ ldd /usr/local/apache2/modules/mod_wsgi.so
	libpython2.6.so.1.0 => /usr/local/lib/libpython2.6.so.1.0 (0x00002b4372989000)

The output above shows that it is built against Python 2.6. In cases where you need to rebuild, follow these instructions. All steps assume execution as root id.

  1. Get latest mod_wsgi (as of writing version 3.3):
    $ wget http://modwsgi.googlecode.com/files/mod_wsgi-3.3.tar.gz
    $ tar zxvf ./mod_wsgi-3.3.tar.gz
    
  2. Configure (Nb. SuSE comes with the special apxs-fork command but with an Apache2 source build, the correct command is apxs):
    $ cd ./mod_wsgi-3.3
    $ ./configure --with-apxs=/usr/sbin/apxs2-prefork --with-python=python2.6
    checking Apache version... 2.2.13
    configure: creating ./config.status
    config.status: creating Makefile
    
    Troubleshooting: apxs2-fork may be missing, if so check that the apache2-devel package is installed:
    $ command-not-found apxs2
    
    The program 'apxs2' can be found in the following package:
      * apache2-devel [ path: /usr/sbin/apxs2, repository: zypp (SUSE-Linux-Enterprise-Software-Development-Kit-11_11-0) ]
    
    Try installing with:
        sudo zypper install apache2-devel
    
    $ sudo zypper install apache2-devel
    
  3. Build:
    $ make
    
    Troubleshooting: missing python development files - output from make includes something like:
    mod_wsgi.c:135:20: error: Python.h: No such file or directory                                                  
    mod_wsgi.c:138:2: error: #error Sorry, Python developer package does not appear to be installed.               
    
    Install development package:
    $ sudo zypper install python-devel
    
    Install:
    $ make install
    

Apache Configuration File Settings

Apache needs to be explicitly configured to load the mod_wsgi shared object file on start up. For a source build of Apache, you can add the directive in the httpd.conf file:

LoadModule wsgi_module modules/mod_wsgi.so

Different Linux distros each handle configuration in their own way. With some, you can use the a2* commands to handle Apache configuration for you e.g.

$ a2enmod wsgi

Set up for an individual mod_wsgi application

  1. A new system account and group is recommended to run the Apache mod_wsgi processes
    $ groupadd ndgsecurity
    $ useradd -g ndgsecurity -c "NDG Security system account" ndgsecurity
    
  2. Create Python egg cache directory:
    $ mkdir /usr/local/apache2/wsgi_scripts/.ndg-security-python-eggs
    $ chown ndgsecurity:ndgsecurity /usr/local/apache2/wsgi_scripts/.ndg-security-python-eggs
    
  3. Edit the appropriate apache config file to mount the application, for example the settings for an individual virtual host or for running over HTTPS (e.g. /usr/local/apache2/conf/extra/httpd-ssl.conf)
  4. Make an entry to set up daemons and mount the script (here using example from the  mod_wsgi guide):
    	# NDG Security WSGI Set up
            WSGIDaemonProcess ndg-security processes=2 threads=15 display-name=%{GROUP} python-eggs=/usr/local/apache2/wsgi-scripts/.ndg-security-python-eggs user=ndgsecurity group=ndgsecurity
            WSGIProcessGroup ndg-security
            WSGIScriptAlias /hello /usr/local/apache2/wsgi-scripts/helloworld.wsgi
    
  5. Restart Apache2:
    $ /usr/local/apache2/bin/apachectl restart
    
  6. Test the sign in endpoint: http(s):<fqdn>/hello and troubleshoot by examining the appropriate error log.

SSL Configuration

For SuSE, configure SSL on Apache with yast2 or follow these steps (Ref:  http://en.opensuse.org/Apache_Howto_SSL):

Alternatively use the a2* commands. So, to enable the SSL module and flag:

$ a2enmod ssl
$ a2enflag SSL

The source version of Apache provides an example SSL configuration file to use as a template. This will include entries for all the required settings. They must of course but given sensible values. The remainder of these instructions focus on this.

Obtaining a Server Certificate

A server certificate should be obtained from a CA trusted by the major browsers. A temporary self-signed certificate can be used for testing or alternatively, one obtained from a test CA. The Globus SimpleCA package can be used to set up a test CA.

Configuration File Settings

These instructions apply for config following a source install. Individual Linux distros configs vary.

  1. Ensure that the SSL configuration file is included in the top-level /usr/local/apache2/conf/httpd.conf file:
    # Secure (SSL/TLS) connections
    Include conf/extra/httpd-ssl.conf
    
  2. Inside the <VirtualHost> section update the host IP, document root, server name, admin e-mail and log file paths:
    <VirtualHost <host ip>:443>
    
    #   General setup for the virtual host
    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName <fqdn>:443
    ServerAdmin <admin e-mail>
    ErrorLog "/usr/local/apache2/logs/<fqdn>-ssl_error_log"
    TransferLog "/usr/local/apache2/logs/<fqdn>-ssl_access_log"
    
  3. Set the certificate and private key file paths to the correct locations:
    SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
    
    SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"
    
  4. Add an intermediate CA certificates from the trust chain to the root certificate to a CA bundle file and set the directive to point to it:
    SSLCertificateChainFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt"
    
  5. Set the directory containing trusted root CA certificates used to verify client SSL invocations. This directory will need to be populated with the PEM encoded CA certificate files named with their hash names (see c_rehash OpenSSL utility):
    SSLCACertificatePath /etc/grid-security/certificates
    
  6. Configure the client authentication settings to optional, so that this can be enforced for authentication endpoints (configured in WSGI middleware INI file) but bypassed in all other cases. Set here to avoid client renegotiation in case client blocks this:
    SSLVerifyClient optional
    SSLVerifyDepth  10
    
  7. Ensure client certificate is exposed to WSGI middleware so that it can enforce authentication checks
    SSLOptions +ExportCertData
    
  8. In the same file, add directory directives for the WSGI scripts directory inside the <Virtual Host> directive:
    <Directory /usr/local/apache2/wsgi_scripts>
        # Custom set-up for NDG Security SSL Client Authentication
        # middleware.  SSLVerifyClient is set to optional so that
        # the middleware can enforce this independently of the
        # directives here
        SSLVerifyClient optional
        SSLVerifyDepth  10
        SSLOptions +StdEnvVars +ExportCertData
        Order allow,deny
        Allow from all
    </Directory>
    
    # Allow access to directory for temporary eggs
    <Directory /usr/local/apache2/wsgi_scripts/.pythoneggs/>
        Order allow,deny
        Allow from all
    </Directory>
    
    The SSLOptions are required so that environment settings are passed through to the NDG Security WSGI SSL filters so that they can enforce client authentication where needed and verify client certificate back to a trusted CA root.
  9. Restart Apache and try loading from a browser. The static content CEDA index page should be displayed.