Apache Modules mod ssl
From Gentoo Linux Wiki
Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article
|
|
|
Main Modules
Addons & Tunnels Tips Configuring Other |
| edit |
[edit] Getting Started
When installing Apache2, mod_ssl is included with the installation as long as you have the "ssl" use flag enabled for apache. You can check if the USE flag is enabled, by running emerge -pv apache. If " ssl" is highlighted in red, you are good to go. If not, either alter your USE flags in /etc/make.conf or /etc/portage/package.use. For more information about altering your USE flags, read the appropriate section in the handbook.
[edit] SSL keys
Here you have a choice : you can either use a certificate issued by a third party like Thawte or VeriSign (you might also want to check out TIP cacert.org SSL certificates). This is recommended for broad public internet use. Generated keys (also referred as self signed certificates) are generally used for development, testing or internal use. If your certificates were supplied to you, then just place them in the /etc/apache2/ssl directory.
For more detailed information regarding certificate generation, take a look at an SSL Certificate with Apache+mod_ssl.
First, we generate a random key
openssl genrsa -des3 -out server.key 1024
At this point, a certificate created this way would force Apache to ask for the passphrase at each startup. If you don't want Apache to prompt you for a passphrase everytime you start or restart it, remove the "-des3" option as shown.
openssl genrsa -out server.key 1024
The next step is to create a key file with the passphrase removed.
openssl rsa -in server.key -out server.pem
Now we turn this key into a certificate request
openssl req -new -key server.pem -out server.csr
And with it, we can now generate ourselves a brand new self signed certificate valid for 365 days. The default value is 30 days without the "-days [number]" option.
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
In /etc/apache2/vhosts.d/00_default_ssl_vhost.conf make sure the following are correct:
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Warning : Always remember that anyone holding the key certificate file can assume the identity of the bearer of the certificate. Your certificate private key file should only be readable by root user! (the .pem file).
[edit] Automatic Redirect
After all is working, you might want to take all traffic over to https://. To do this, extend the default_vhost.conf with these rewrite rules. Write it only in the *:80 config section! (Otherwise you get loops.)
| File: /etc/apache2/vhosts.d/00_default_vhost.conf |
<VirtualHost *:80>
...other stuff...
# Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
|
edit: the above didnt work for me in apache2.x, the following solved the issue:
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
[edit] Enabling mod_ssl
Now for the final step : as stated in the Apache2 install guide, to enable mod_ssl on your Apache2 server, simply add the "-D SSL -D SSL_DEFAULT_VHOST" options to the APACHE2_OPTS statement in /etc/conf.d/apache2.
Then simply run /etc/init.d/apache2 restart and check everything's working.
[edit] Important Note about SSL enabled VirtualHosts
While port 80 is able to host a rather unlimited number of VirtualHosts correctly, in order for SSL enabled VirtualHost to work properly each must live on a separate IP/port combination. Although you can have more than one VirtualHost per SSL enabled port, the certificate file used will be from the first SSL configuration directive. When this happens the browser will throw an error about mismatched, or possibly malicious host, when you attempt to access the non-default VirtualHost for that port.
Why can't I use SSL with name-based/non-IP-based virtual hosts?
Why isn't it possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Problems of course start to occur when using non-standard HTTP and HTTPS ports. (There are only two of them, so they run out fast when you add your first SSL enabled VirtualHost.)
- Trying to remember the port number being the easiest example.
- Search engine mojo gets lost as most search engines interpret a different port as a different host. (as it should, but it's annoying.)
[edit] Changing the port SSL runs on
(If anybody more familiar with wikies wants to reformat this section, please do so.)
To change the port SSL runs on, you will need to edit /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf in the following ways (the following example assumes you want SSL to run on port 72):
1) After "<IfModule mod_ssl.c>" and before "<VirtualHost _default_:443>", add a new line reading "Listen 72"
2) Change "<VirtualHost _default_:443>" to be <VirtualHost _default_:72>
Two other notable problems I ran into but were not included above:
1) If you get a permission denied error, you may need to add the following under the <VirtualHost _default:72> tag on a new line: "Include /etc/apache2/vhosts.d/default_vhost.include"
2) There seems to be a default SSL server running, whose configuration file is defined in "/etc/apache2/vhosts.d/00_default_ssl_vhost.conf". I commented out the "Listen" line in this configuration file to prevent conflicts.
