I been scouring over the net trying to find a good tutorial on how to get Apache rolling with SSL. Apache is installed properly WITH mod_SSL but this is about as far as I can go. The whole CA, .CRT, .key, thing is a little overwhelming to someone who has never used this stuff before. All I want to due is secure a particular part of my website (not with passwords but with SSL). For example, I don't want to secure the entire www.website.com. I only want to secure, www.website.com/dir (that particular directory and all its subs).

I would have thought it would be easy to do this but nothing is every easy with Apache. You'd think they would have a tutuorial on their site but dont... Any help or links would be appreciated...

That's how it works, SSL will be enabled on the domain you specify. It can't just specify a sub-directory. You can use SSL or HTTPS just for the directory after the domain, perhaps setup a mod-rewrite rule if you want to force yourself or users to use HTTPS on it once you setup the SSL certificate for your domain.

I am a bit new to this myself but hope this can help. You need to generate a key in /etc/apache2 on Debian you just run apach2-ssl-certificate.

Then an example is as follows,

Listen 80
Listen 443

NameVirtualHost 192.168.1.1:80


#ensures connections over port 80 are forwarded to the ssl site
<VirtualHost www.site.com:80>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
DocumentRoot /usr/share/squirrelmail
ServerName www.site.com
ServerAlias alias.com
ErrorLog /var/log/apache2/web_mail80_error.log
TransferLog /var/log/apache2/web_mail80_access.log
ServerAdmin postmaster@site.com
</VirtualHost>

#load the ssl certificate you generated
SSLCertificateFile /etc/apache2/ssl/apache.pem

NameVirtualHost 192.168.1.1:443

#the secure site
<VirtualHost www.site.com:443>
SSLEngine On
DocumentRoot /usr/share/squirrelmail
ServerName www.site.com
ServerAlias alias.com
ErrorLog /var/log/apache2/web_mail_error.log
TransferLog /var/log/apache2/web_mail_access.log
ServerAdmin postmaster@site.com
</VirtualHost>

I will find out about how to secure particular directories because i need to know this myself soon. I will post here what i find.

Most likely you need to put SSLEngine On inside a <Directory> stanza.

Hope this helps
Regards
Alfar

Ok, so even though SSL will be setup on www.mysite.com, I can restrict the use of https on that particular directory. I can live with that. :-) I'll check into the mod-rewrite rules.

Alfar:

Looks as if you are doing the EXACT same thing I am. I am wanting to secure the squirrel mail directory too! :-) I have figured out I need keys but then I guess I also need certificates, and then I need a CA (which I can be one) that has to sign the certificate... *sigh* Man, SSL is a pain the rear to setup.

I will give your setup a try and for now, go ahead and secure the entire document root. I'll take a look myself (as well with you) in finding out how to secure one particular directory...

Yes i didnt want my squirrelmail users to transmit their passwords in clear text. IF this is what you're trying to do, then i suggest you go ahead and encrypt a whole site. Create a DNS entry for your server, something like mail.site.com instead of www. This would be easy to remmember.

I assume you would not have the key certified by a CA (because at least for UK its around £500 per site with verisign). If that is so, then a problem might arise with viewing the site in IE. Basically an annoying page pops up saying that the key cannot be verified. They have to click on "Continue not recommended" every time, and most people naturally panic when something is red and not recommended. In firefox all you have to do is click on accept certificate permanently. I dont know why Microsoft is soo paranoid about certificates where it is not bothered about so many other problems with security and their products.

Just an update. Went ahead and bought a Godaddy.com Turbo SSL certificate for $20. It expires in a year, but $20 is pretty damn cheap.

Also, I figured out how to get users to the secured directory when browsing the non-secure site. Whenever a use wants to connect to http://www.example.com/mail, a simple "Redirect" command in the Virtual Host section of my .conf file causes them to go to https://www.example.com/mail which is the SSL encrypted site. Piece of cake!!

Thanks for all the help!

Thanks for the info. I secured my exim curier and apache for $35 for 2 years.

Apache 2.2.3 Redirecting to https from http

Hello everyone! This is my first time here, but I am looking for a little advise on VirtualHost and running port 443 the same time that I am listening on port 80. I have "Listen 80" and "Listen 443" defined in my httpd.conf file, and this is what I have defined in the VirtualHost section of httpd.conf:

<VirtualHost *:80>
DocumentRoot /var/www/html/example
ServerName www.example.com
ErrorLog logs/example.error_log
CustomLog logs/example.com_access common
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/example
ServerName www.example.com
Redirect https://www.example.com:443 https://www.example.com/register.cgi
ErrorLog logs/example.error_log
CustomLog logs/example.com_access common
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/certs/localhost.key
</VirtualHost>


I want to be able to listen on port 80 for the normal traffic of the site, and then when the user decided to register a user=name they can log in securely on port 443. It tells me that if I run "apachectl -t" that the port 80 takes precedence of the ports, and syntax is Ok. Also, if I run from a browser: "http://www.example.com", the server runs just fine; and if I type the URL: "https://www.example.com" it will tell about the untrusted certificate files since I am running a self-signed certificate.

If anybody could help me out it would be wonderful...thanks all