|
Apache SSL
Hi!
Can someone teach me how to configure Apache to use HTTPS instead of the usual HTTP? For a more secured web content. Our mail server is accessed via web using squirrelmail. Now, I wanted to secure it by using HTTPS. Is that possible in Apache? |
Yes it is possible, I did the same thing here a while back. A good place to start is at http://httpd.apache.org/docs/2.0/ssl/ - also have a look on this site at http://www.linuxquestions.org/linux/...ache_SSL_Howto
|
Thanks. I'll give it a try.
|
HI!
I've followed the link but can't find the "Include" in httpd.conf. I have CentOS 4 running which I installed and mod_ssl. But don't know where to start. |
The ssl.conf file wasn't always separate from the httpd.conf file. It may be that on your system, the contents of the ssl.conf file are in the httpd.conf file. Do you have the SSLEngine directive anywhere in your httpd.conf file?
|
Where do I find SSLEngine directive? All I know is that i have apache and mod_ssl installed and I just need to reconfigure it for the clients to use https instead of http.
|
Are you using Apache 2.0.x? If so, httpd.conf is usually either under /usr/local/apache2/conf or /etc/apache (or /etc/http). Those last 2 are guesses, so it may be slightly different. It's also worth checking again for ssl.conf in that directory as well as the Include directive in httpd.conf.
|
On the localhost, I tried opening on the web browser: https://mywebsite and it says certificate is not valid. And when I try it on a different machine, it couldn't connect. Any help?
|
Quote:
Quote:
-twantrd |
Since the how-to you posted seems to be slackware specific, I followed this link:
http://www.vanemery.com/Linux/Apache/apache-SSL.html I pointed all keys in ssl.conf. ssl.conf is located at /etc/httpd/conf.d. I noticed in httpd.conf that it already has Include in conf.d so I didn't bother adding it up. Are there other configurations that I need to tweak in httpd.conf? I also saw that ssl.conf has a DocumentRoot options which I pointed my website into. But still unsuccesful. I think firewall doesn't have anything to do with this because I am just accessing the website within our network and not on the internet. Hope you can help me out or at least you can provide me a step-by-step guide on building one. I am using CentOS with Apache preinstalled and mod_ssl. Thanks. |
There is nothing much to setup in httpd.conf if you have an include statement to tell apache to also look for ssl.conf. ssl.conf then becomes the main config for SSL. Paste your ssl.conf for us to see.
I haven't encountered this error before when I setup Apache+SSL. What do the logs say? Anything of interest? -twantrd |
twantrd,
Thanks for your assistance on this. I was able to build my own certificate and was able to use https. Another question, is it possible to add some virtual host in SSL? I mean, I was able to setup virtual host on one of my website. By testing this, I added a www.company1.com entry on my host file and configured ssl.conf to point the DocumentRoot to the website1 which I built. I want to add up another website which I am also managing the DNS entries to point to my IP. Do you think it is possible? What are the things that I need to do? Should I add up ssl2.conf on /etc/httpd/conf.d? Where am I going to add that additional VirtualHost directive? Thanks. |
If you wanted to set up another Vhost, there is no need to include/setup another conf file. It's just like httpd.conf. When you set up more virtual hosts, you don't need another conf file right? You just put them all in httpd.conf. Well, the same goes for ssl.conf. Add the other virtual hosts in ssl.conf. The syntax is the same except that the port number is 443 instead of 80, that's all. Give it a shot and always look at the error logs to see what's wrong. Good luck.
-twantrd |
I can't seem to make it work. I already added the second website on the virtual host when I point in company2.com on the browser, the company1.com still shows up. I think the first DocumentRoot configured on the VirtualHost is being followed here.
|
Did you specify a DocumentRoot for your 2nd vhost? Post your config for us to see.
-twantrd |
twantrd,
I have successfully configured VirtualHost. Now, when I typein www.company1.com on my browser I get to see the www.company1.com's DocumentRoot. And the same thing happened on www.company2.com. Now, my problem is that it seems that the two websites still shares the same certificate. How can I configure the server to use different certs on each site? Here's my ssl.conf. Hope you can tell me if this is secure enough. I also notice that https is really slow compared to the traditional http. Maybe because of the encryption which makes it really slow. I also heard from Steve Gibson that it is possible to generate a certificate for each client to be installed on his' browser just for him to access the site. Have you tried this before and how were you able to do this? Thanks and hope you can help me out. LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/cache/mod_ssl/scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/var/www/company1" ServerName www.company1.com ServerAdmin admin@company1.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/honda.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/honda.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> <VirtualHost *:443> DocumentRoot "/var/www/company2" ServerName www.company2.com ServerAdmin admin@company2.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/iadi.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/iadi.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> |
I believe you'll need a seperate IP address per SSL cert. Therefore, you need to start binding some alias ip's and declare those ip's in your vhosts. Give that a shot.
Reading some docs on the web, it appears that you need to do this because SSL negotiation happens before the actual HTTP request and so the hostname is not available during SSL negotiation. -twantrd |
| All times are GMT -5. The time now is 03:47 PM. |