Wednesday, February 16, 2011

Apache with SSL

Here we are going setup a web site with SSL support, so content can be securely served via https.
  • Web server FQDN: web1 ; web1.dev.local
  • Content served via: HTTP and HTTPS
  • Content location: /var/www/
Before you proceed you need to have a valid SSL certificate. You can read how to get on here. The only attention I would like to pay for the following setting while creating certificate request:
Common Name (eg, YOUR name) []:web1.dev.local
This must be FQDN of your web server, or a name that your clients will use to access it. In case you would like access the web server by web1 and/or web1.dev.local you will need two certificates for each name. So once you created certificates and get them signed by CA, here we go:
  1. Install apache
    apt-get -y install apache2
    
  2. Rename each certificates so you will have two pairs for web1 and web1.dev.local:
    mv newreq.pem web1-key.pem
    mv newcert.pem web1-cert.pem
    
    mv newreq.pem web1.dev.local-key.pem
    mv newcert.pem web1.dev.local-cert.pem
    
  3. Copy to known ssl certificates location (/etc/ssl) and secure private certificates:
    cp web1-cert.pem /etc/ssl/certs
    cp web1-key.pem /etc/ssl/private
    
    cp web1.dev.local-cert.pem /etc/ssl/certs
    cp web1.dev.local-key.pem /etc/ssl/private
    
    chmod -R go= /etc/ssl/private
    chown -R root:root /etc/ssl/private
    
  4. Enable ssl module:
    a2enmod ssl
    
  5. Disable default web site:
    a2dissite default
    
  6. Add NameVirtualHost for port 443 in /etc/apache2/ports.conf:
    <IfModule mod_ssl.c>
        # Server Name Indication for SSL named virtual hosts is currently not
        # supported by MSIE on Windows XP.
        NameVirtualHost *:443
        Listen 443 
    </IfModule>
    
  7. Create web1 web site (file /etc/apache2/sites-available/web1):
    <VirtualHost *:80>
            ServerName web1.dev.local
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
            ServerName web1
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    
            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/web1-cert.pem
            SSLCertificateKeyFile /etc/ssl/private/web1-key.pem
    </VirtualHost>
    <VirtualHost *:443>
            ServerName web1.dev.local
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    
            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/web1.dev.local-cert.pem
            SSLCertificateKeyFile /etc/ssl/private/web1.dev.local-key.pem
    
            # Disables all protocols other than TLS v1.0 and SSL v3.0
            SSLProtocol -all +TLSv1 +SSLv3
            # Use only HIGH and MEDIUM security cipher suites
            SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
    </VirtualHost>
    </IfModule>
    
  8. Enable web1 web site:
    a2ensite web1
    
  9. Let apache know about your new web site:
    /etc/init.d/apache2 reload
    
You should be able access the site. If you use your own CA have a look here to get rid of browser warning message.

No comments :

Post a Comment