Configure Apache To Use Https

Home > Articles

␡

For all those who want to test their website on localhost using the secure HTTP protocol, here is how you can configure apache for testing purpose. I did this on Mac OSX 10.6 using apache 2.2 Guidelines provided at apple are for older version. We'll use them to generate the certificate and then configure apache for newer version. If you don't specify a configuration file with -f or -n, Apache will use the file name compiled into the server, such as confhttpd.conf. This built-in path is relative to the installation directory. You can verify the compiled file name from a value labelled as SERVERCONFIGFILE when invoking Apache with the. Once your Apache HTTP Web Server is ready, Use the following instructions to setting up the Apache HTTPS (SSL) Web Server on RHEL7 / CentOS7. Install the SSL Module. Install the appropriate package ' modssl ' using yum to avoid dependencies issue. You can also run Apache via the shortcut Start Apache in Console placed to Start Menu - Programs - Apache HTTP Server 2.4.xx - Control Apache Server during the installation. This will open a console window and start Apache inside it.

SSL Configuration

< BackPage 5 of 12Next >

This chapter is from the book 

Sams Teach Yourself Apache 2 in 24 Hours

This chapter is from the book

This chapter is from the book 

SSL Configuration

How to install binding of isaac mods (for mac). The previous sections introduced the (not-so-basic) concepts behind SSL and you have learned how to generate keys and certificates. Now, finally, you can configure Apache to support SSL. mod_ssl must either be compiled statically or, if you have compiled as a loadable module, the appropriate LoadModule directive must be present in the file.

If you compiled Apache yourself, a new Apache configuration file, named ssl.conf, should be present in the conf/ directory. That file contains a sample Apache SSL configuration and is referenced from the main httpd.conf file via an Include directive.

If you want to start your configuration from scratch, you can add the following configuration snippet to your Apache configuration file:

With the previous configuration, you set up a new virtual host that will listen to port 443 (the default port for HTTPS) and you enable SSL on that virtual host with the SSLEngine directive.

You need to indicate where to find the server's certificate and the file containing the associated key. You do so by using SSLCertificateFile and SSLCertificateKeyfile directives.

Starting the Server

Now you can stop the server if it is running, and start it again. If your key is protected by a pass phrase, you will be prompted for it. After this, Apache will start and you should be able to connect securely to it via the https://http://www.example.com/ URL.

If you compiled and installed Apache yourself, in many of the vendor configuration files, you can see that the SSL directives are surrounded by an <IfDefine SSL> block. That allows for conditional starting of the server in SSL mode. If you start the httpd server binary directly, you can pass it the -DSSL flag at startup. You can also use the apachectl script by issuing the apachectl startssl command. Finally, if you always want to start Apache with SSL support, you can just remove the <ifDefine> section and start Apache in the usual way.

If you are unable to successfully start your server, check the Apache error log for clues about what might have gone wrong. For example, if you cannot bind to the port, make sure that another Apache is not running already. You must have administrator privileges to bind to port 443; otherwise, you can change the port to 8443 and access the URL via https://http://www.example.com:8443.

Configuration Directives

mod_ssl provides comprehensive technical reference documentation. This information will not be reproduced here; rather, I will explain what is possible and which configuration directives you need to use. You can then refer to the online SSL documentation bundled with Apache for the specific syntax or options.

Algorithms

You can control which ciphers and protocols are used via the SSLCipherSuite and SSLProtocol commands. For example, you can configure the server to use only strong encryption with the following configuration:

See the Apache documentation for a detailed description of all available ciphers and protocols.

Client Certificates

Similarly to how clients can verify the identity of servers using server certificates, servers can verify the identity of clients by requiring a client certificate and making sure that it is valid.

SSLCACertificateFile and SSLCACertificatePath are two Apache directives used to specify trusted Certificate Authorities. Only clients presenting certificates signed by these CAs will be allowed access to the server.

Configure Apache Server On Mac

The SSLCACertificateFile directive takes a file containing a list of CAs as an argument. Alternatively, you could use the SSLCACertificatePath directive to specify a directory containing trusted CA files. Those files must have a specific format, described in the documentation. SSLVerifyClient enables or disables client certificate verification. SSLVerifyDepth controls the number of delegation levels allowed for a client certificate. The SSLCARevocationFile and SSLCARevocationPath directives enable you to specify certificate revocation lists to invalidate certificates.

Performance

SSL is a protocol that requires intensive calculations. mod_ssl and OpenSSL allow several ways to speed up the protocol by caching some of the information about the connection. You can cache certain settings using the SSLSessionCache and SSLSessionCacheTimeout directives. There is also built-in support for specialized cryptographic hardware that will perform the CPU-intensive computations and offload the main processor. The SSLMutex directive enables you to control the internal locking mechanism of the SSL engine. The SSLRandomSeed directive enables you to specify the mechanism to seed the random-number generator required for certain operations. The settings of both directives can have an impact on performance.

Logging

mod_ssl hooks into Apache's logging system and provides support for logging any SSL-related aspect of the request, ranging from the protocol used to the information contained in specific elements of a client certificate. This information can also be passed to CGI scripts via environment variables by using the StdEnvVars argument to the Options directive. You can get a listing of the available SSL variables at http://httpd.apache.org/docs-2.0/ssl/ssl_compat.html.

The `SSLOptions` Directive

Many of these options can be applied in a per-directory or per-location basis. The SSL parameters might be renegotiated for those URLs. This can be controlled via the SSLOptions directive.

The SSLPassPhraseDialog directive can be used to avoid having to enter a pass phrase at startup by designating an external program that will be invoked to provide it.

Access Control

The SSLRequireSSL directive enables you to force clients to access the server using SSL. The SSLRequire directive enables you to specify a set of rules that have to be met before the client is allowed access. SSLRequire syntax can be very complex, but itallows an incredible amount of flexibility. Listing 17.1 shows a sample configuration from the mod_ssl documentation that restricts access based on the client certificate and the network the request came from. Access will be granted if one of the following is met:

The SSL connection does not use an export (weak) cipher or a NULL cipher, the certificate has been issued by a particular CA and for a particular group, and the access takes place during workdays (Monday to Friday) and working hours (8:00 a.m. to 8:00 p.m.).
The client comes from an internal, trusted network.

You can check the documentation for SSLRequire for a complete syntax reference.

Listing 17.1 `SSLRequire` Example

Reverse Proxy with SSL

Although at the time this book was written the SSL reverse proxy functionality was not included in mod_ssl for Apache 2.0, it is likely to be included in the future. That functionality enables you to encrypt the reverse proxy connection to backend servers and to perform client and server certificate authentication on that connection. The related directives are SSLProxyMachineCertificatePath, SSLProxyMachineCertificateFile, SSLProxyVerify, SSLProxyVerifyDepth, SSLProxyCACertificatePath, SSLProxyEngine, and SSLProxyCACertificateFile. Their syntax is similar to their regular counterparts. You can find more information about the Apache reverse proxy in Hour 15.

About the TLS Extension Server Name Indication (SNI)

When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. This restriction causes them to buy multiple IP addresses for regular https websites from their domain host or buy hardware that allows them to utilize multiple network adapters.

However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious—you can secure more websites without purchasing more IP addresses or additional hardware.

Since this is a fairly recent update with Apache, browsers are only recently supporting SNI. Most current major desktop and mobile browsers support SNI. One notable exception is that no versions of Internet Explorer on Windows XP support SNI. For more information on which browsers support SNI, please see SNI browser support.

To use SNI on Apache, please make sure you complete the instructions on the Apache SSL installation page. Then continue with the steps on this page.

Setting up SNI with Apache

To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. Renault magnum 480 manual. If you create a new .conf file, add the following line to your existing .conf file:

Next, in the NameVirtualHost directive list your server's public IP address, *:443, or other port you're using for SSL (see example below).

Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

If you have a Wildcard or Multi-Domain SSL Certificate all of the websites using the same certificate need to reference the same IP address in the VirtualHost IP address:443 section like in the example below:

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need using the above process.

Apache SSL Certificates, Guides, & Tutorials