SSL in Apache

Internet
Author

Vinh Nguyen

Published

December 22, 2010

I recently tested setting up SSL for my web server. I will outline how I set this up using a self-signed certificate. Some useful references are this, this, this, and this.

I assume Apache is up and running and OpenSSL is installed.

Set up SSL certificates:

sudo a2enmod ssl
cd /etc/apache2
sudo openssl genrsa -des3 -out server.key 1024 ## leave out -des3 so I don't have to enter passphrase every time
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/

Now, place the following in the site configuration file (in /etc/sites-enabled/) before ==:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

For example, I changed my /etc/apache2/sites-available/www.mydomain.com from

# Basic setup
ServerAdmin my.email@my.domain.com
ServerName www.mydomain.com
DocumentRoot /home/user/www.mydomain.com/htdocs/


# HTML documents, with indexing.

Options +Includes


# CGI Handling
ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI


# Logfiles
ErrorLog /home/user/www.mydomain.com/logs/error.log
CustomLog /home/user/www.mydomain.com/logs/access.log combined

to

## following 2 for ssl
NameVirtualHost *:443
NameVirtualHost *:80


# Basic setup
ServerAdmin my.email@my.domain.com
ServerName www.mydomain.com
DocumentRoot /home/user/www.mydomain.com/htdocs/


# HTML documents, with indexing.

Options +Includes


# CGI Handling
ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI


# Logfiles
ErrorLog /home/user/www.mydomain.com/logs/error.log
CustomLog /home/user/www.mydomain.com/logs/access.log combined





# Basic setup
ServerAdmin my.email@my.domain.com
ServerName www.mydomain.com
DocumentRoot /home/user/www.mydomain.com/htdocs/


# HTML documents, with indexing.

Options +Includes


# CGI Handling
ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI


# Logfiles
ErrorLog /home/user/www.mydomain.com/logs/error.log
CustomLog /home/user/www.mydomain.com/logs/access.log combined

# Authenticatiion

ScriptAlias /cgi-bin/ /home/user/www.mydomain.com/cgi-bin/

Options +ExecCGI


# Logfiles
ErrorLog /home/user/www.mydomain.com/logs/error.log
CustomLog /home/user/www.mydomain.com/logs/access.log combined

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Now I can use both http or https when accessing my site.

I run multiple sites on the same server. I wanted to use SSL on one or all of these sites, but that is not possible without having a static IP for each site. The reason is the HTTP header is encrypted, so Apache doesn't know which site to take you to. See this and this for explanations.