Wednesday, February 16, 2011

Apache with SSL

Here we are going setup a web site with SSL support, so content can be securely served via https.
  • Web server FQDN: web1 ; web1.dev.local
  • Content served via: HTTP and HTTPS
  • Content location: /var/www/
Before you proceed you need to have a valid SSL certificate. You can read how to get on here. The only attention I would like to pay for the following setting while creating certificate request: 
Common Name (eg, YOUR name) []:web1.dev.local
This must be FQDN of your web server, or a name that your clients will use to access it. In case you would like access the web server by web1 and/or web1.dev.local you will need two certificates for each name. So once you created certificates and get them signed by CA, here we go:
  1. Install apache 
    apt-get -y install apache2
  2. Rename each certificates so you will have two pairs for web1 and web1.dev.local: 
    mv newreq.pem web1-key.pem
mv newcert.pem web1-cert.pem

mv newreq.pem web1.dev.local-key.pem
mv newcert.pem web1.dev.local-cert.pem
  3. Copy to known ssl certificates location (/etc/ssl) and secure private certificates: 
    cp web1-cert.pem /etc/ssl/certs
cp web1-key.pem /etc/ssl/private

cp web1.dev.local-cert.pem /etc/ssl/certs
cp web1.dev.local-key.pem /etc/ssl/private

chmod -R go= /etc/ssl/private
chown -R root:root /etc/ssl/private
  4. Enable ssl module: 
    a2enmod ssl
  5. Disable default web site: 
    a2dissite default
  6. Add NameVirtualHost for port 443 in /etc/apache2/ports.conf: 
    <IfModule mod_ssl.c>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443 
</IfModule>
  7. Create web1 web site (file /etc/apache2/sites-available/web1): 
    <VirtualHost *:80>
        ServerName web1.dev.local
        DocumentRoot /var/www/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName web1
        DocumentRoot /var/www/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/web1-cert.pem
        SSLCertificateKeyFile /etc/ssl/private/web1-key.pem
</VirtualHost>
<VirtualHost *:443>
        ServerName web1.dev.local
        DocumentRoot /var/www/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/web1.dev.local-cert.pem
        SSLCertificateKeyFile /etc/ssl/private/web1.dev.local-key.pem

        # Disables all protocols other than TLS v1.0 and SSL v3.0
        SSLProtocol -all +TLSv1 +SSLv3
        # Use only HIGH and MEDIUM security cipher suites
        SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
</VirtualHost>
</IfModule>
  8. Enable web1 web site: 
    a2ensite web1
  9. Let apache know about your new web site: 
    /etc/init.d/apache2 reload
You should be able access the site. If you use your own CA have a look here to get rid of browser warning message.
Posted by Andriy Kornatskyy at 8:00 PM
Labels: ,

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )