The SSL kernel proxy can improve the speed of SSL packet processing on an Apache 2.2 web server. This procedure implements the simple scenario that is illustrated in Figure 3–1.
Before You Begin
You have configured an Apache 2.2 web server. This web server is included in Oracle Solaris.
You must assume the root role.
# svcadm disable svc:/network/http:apache22
If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for the SSL kernel proxy.
If the SSLCertificateKeyFile parameter is also specified, then you must combine the certificate file and the private key file. Run a command similar to the following to combine the files:
# cat cert.pem key.pem > cert-and-key.pem
See the ksslcfg(1M) man page for the full list of options. The parameters that you must supply follow:
password-file – Used with the –p option to obtain the password used to encrypt the private key for the pem or pkcs12 key-format options. For pkcs11, the password is used to authenticate to the PKCS #11 token. You must protect the password file with 0400 permissions. This file is required for unattended reboots.
proxy-port – Used with the –x option to set the SSL proxy port. You must specify a different port from the standard port 80. The web server listens on the SSL proxy port for unencrypted plaintext traffic. Typically, the value is 8443.
ssl-port – Specifies the listening port for the SSL kernel proxy. Typically, the value is 443.
Specify the SSL proxy port and associated parameters by using one of the following formats:
# ksslcfg create -f key-format -i key-and-certificate-file \ -p password-file -x proxy-port ssl-port
# ksslcfg create -f pkcs11 -T PKCS11-token -C certificate-label \ -p password-file -x proxy-port ssl-port
# svcs svc:/network/ssl/proxy STATE STIME FMRI online 02:22:22 svc:/network/ssl/proxy:default
The following output indicates that the service instance was not created:
svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances STATE STIME FMRI
Edit the /etc/apache2/2.2/http.conf file and add a line to define the SSL proxy port. If you use the server's IP address, then the web server listens on that interface only. The line is similar to the following:
The web server service can start only after the SSL kernel proxy instance is started. The following commands establish that dependency:
# svccfg -s svc:/network/http:apache22 svc:/network/http:apache22> addpg kssl dependency ...apache22> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443 ...apache22> setprop kssl/grouping = astring: require_all ...apache22> setprop kssl/restart_on = astring: refresh ...apache22> setprop kssl/type = astring: service ...apache22> end
# svcadm enable svc:/network/http:apache22