sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id$
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log$
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

 - add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

 - add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

 - example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org
  
1	jonen	1.1	##################################################
2			# $Id$
3			#
4			##################################################
5			#
6			# howto configure apache + mod_ssl
7			#
8			# by jonen@netfrag.org
9			##################################################
10			#
11			# $Log$
12			#
13			##################################################
14
15
16			##################################################
17			# install (debian):
18
19			# Apache:
20			- apt-get install apache apache-common
21
22			# mod_ssl
23			- apt-get install libapache-mod-ssl
24
25
26			##################################################
27			# make certificate
28			#
29			- run:
30
31			/usr/lib/apache/mkcert.sh
32
33
34
35			##################################################
36			# configure httpd.conf
37			# (default Debian path: /etc/apache/httpd.conf)
38			#
39
40			#################
41			# Basics:
42
43			- add/uncomment:
44
45			LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
46
47			- add:
48
49			<IfDefine SSL>
50			Listen 80
51			Listen 443
52
53			SSLMutex file:/var/log/apache/ssl_mutex
54			SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
55			SSLRandomSeed startup builtin
56
57			SSLLog /var/log/apache/ssl.log
58			SSLLogLevel warn
59
60			<VirtualHost _default_:443>
61			SSLEngine on
62			SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
63			SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
64			SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
65			SSLVerifyClient none
66			</VirtualHost>
67			</IfDefine>
68
69
70			#################
71			# Optional:
72
73			- example VirtualHost entry:
74
75			<VirtualHost your.domain.com:443>
76			SSLEngine On
77			SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
78			SSLCertificateKeyFile conf/ssl.key/server.key
79			SSLCertificateFile conf/ssl.crt/server.crt
80			ServerName your.domain.com
81			ServerAlias domain.com
82			DocumentRoot /var/lib/www/domain.com
83			CustomLog /var/log/apache/access_log.your.domain.com combined
84			ErrorLog /var/log/apache/error_log.your.domain.com
85			SetEnvIf User-Agent ".MSIE." \
86			nokeepalive ssl-unclean-shutdown \
87			downgrade-1.0 force-response-1.0
88			<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
89			SSLOptions +StdEnvVars
90			</Files>
91			</VirtualHost>
92
93
94
95			##################################################
96			# modify apache init script to start with ssl
97			# ('apachectl startssl' won't works at debian/testing for some reason....)
98			#
99
100			- edit /etc/init.d/apache:
101
102			replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
103
104			with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
105
106			in the WHOLE script!
107
108
109			##################################################
110			# final start apache..
111			- run
112			/etc/init.d/apache start
113
114			and you are in business... ;)
115
116
117			##################################################
118			# Relative HTTP/HTTPS switching
119			#
120			Switch from HTTP to HTTPS and vice versa by using only relative URLs
121			Benefit: Absolute URLs are avioded and this way the website is more flexible
122
123			#-------- sample httpd.conf snip -------------------------
124			RewriteEngine on
125			RewriteCond %{HTTPS} =on
126			RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
127			RewriteCond %{HTTPS} !=on
128			RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
129			RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
130			#------------- end snip -------------------------------------
131
132			#-------- sample page.html snip -------------------------
133			<a href="page.html:scheme=toggle">
134			<a href="page.html:scheme=https">
135			<a href="page.html:scheme=http">
136			#------------- end snip -------------------------------------
137
138
139			##################################################
140			# Resources (read for further configurations):
141			#
142
143			Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
144
145			Apache.org http://www.apache.org
146
147			modssl.org http://www.modssl.org
148
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26