sysadmin/linux/howto-setup-apache_mod-ssl.txt

##################################################
# $Id$
#
##################################################
#
#    howto configure apache + mod_ssl
#
# by jonen@netfrag.org
##################################################
#
# $Log$
#
##################################################


##################################################
# install (debian):

# Apache:
 - apt-get install apache apache-common 

# mod_ssl
 - apt-get install libapache-mod-ssl
 

##################################################
#  make certificate
#
 - run:
 
 /usr/lib/apache/mkcert.sh


##################################################
#  configure httpd.conf  
#  (default Debian path: /etc/apache/httpd.conf)
#

#################
# Basics:

 - add/uncomment:
    
    LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

 - add:
 
<IfDefine SSL>
  Listen 80
  Listen 443

  SSLMutex file:/var/log/apache/ssl_mutex
  SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
  SSLRandomSeed startup builtin

  SSLLog /var/log/apache/ssl.log
  SSLLogLevel warn

  <VirtualHost _default_:443>
    SSLEngine                   on
    SSLCertificateKeyFile       /etc/apache/conf/ssl.key/server.key
    SSLCertificateFile          /etc/apache/conf/ssl.crt/server.crt
    SSLCipherSuite              ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    SSLVerifyClient             none
  </VirtualHost>
</IfDefine>


#################
# Optional:

 - example VirtualHost entry:
 
<VirtualHost your.domain.com:443>
  SSLEngine On
  SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
  SSLCertificateKeyFile conf/ssl.key/server.key
  SSLCertificateFile conf/ssl.crt/server.crt
  ServerName your.domain.com
  ServerAlias domain.com
  DocumentRoot /var/lib/www/domain.com
  CustomLog /var/log/apache/access_log.your.domain.com combined
  ErrorLog /var/log/apache/error_log.your.domain.com
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
  <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
        SSLOptions +StdEnvVars
  </Files>
</VirtualHost>


##################################################
#    modify apache init script to start with ssl 
#    ('apachectl startssl' won't works at debian/testing for some reason....)
#

 - edit /etc/init.d/apache:

   replace         start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON

   with             start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL

    in the WHOLE script!
    

##################################################
#    final  start apache..
 - run 
 /etc/init.d/apache start
  
  and you are in business... ;)


##################################################
#    Relative HTTP/HTTPS switching
#
Switch from HTTP to HTTPS and vice versa by using only relative URLs
Benefit: Absolute URLs are avioded and this way the website is more flexible

#-------- sample httpd.conf snip -------------------------
RewriteEngine        on
RewriteCond          %{HTTPS} =on
RewriteRule          ^/(.*):scheme=toggle$            http://%{SERVER_NAME}/$1 [R,L]
RewriteCond          %{HTTPS} !=on
RewriteRule          ^/(.*):scheme=toggle$            https://%{SERVER_NAME}/$1 [R,L]
RewriteRule          ^/(.*):scheme=(http|https)$   $2://%{SERVER_NAME}/$1 [R,L]
#------------- end snip -------------------------------------

#-------- sample page.html snip -------------------------
<a href="page.html:scheme=toggle">
<a href="page.html:scheme=https">
<a href="page.html:scheme=http">
#------------- end snip -------------------------------------


##################################################
#    Resources (read for further configurations):
#

  Security Solutions with SSL      http://www.modssl.org/docs/apachecon2001/ 
  
  Apache.org                               http://www.apache.org
  
  modssl.org                                http://www.modssl.org
  
1	##################################################
2	# $Id$
3	#
4	##################################################
5	#
6	# howto configure apache + mod_ssl
7	#
8	# by jonen@netfrag.org
9	##################################################
10	#
11	# $Log$
12	#
13	##################################################
14
15
16	##################################################
17	# install (debian):
18
19	# Apache:
20	- apt-get install apache apache-common
21
22	# mod_ssl
23	- apt-get install libapache-mod-ssl
24
25
26	##################################################
27	# make certificate
28	#
29	- run:
30
31	/usr/lib/apache/mkcert.sh
32
33
34
35	##################################################
36	# configure httpd.conf
37	# (default Debian path: /etc/apache/httpd.conf)
38	#
39
40	#################
41	# Basics:
42
43	- add/uncomment:
44
45	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
46
47	- add:
48
49	<IfDefine SSL>
50	Listen 80
51	Listen 443
52
53	SSLMutex file:/var/log/apache/ssl_mutex
54	SSLSessionCache dbm:/var/log/apache/ssl_gcache_data
55	SSLRandomSeed startup builtin
56
57	SSLLog /var/log/apache/ssl.log
58	SSLLogLevel warn
59
60	<VirtualHost _default_:443>
61	SSLEngine on
62	SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
63	SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
64	SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
65	SSLVerifyClient none
66	</VirtualHost>
67	</IfDefine>
68
69
70	#################
71	# Optional:
72
73	- example VirtualHost entry:
74
75	<VirtualHost your.domain.com:443>
76	SSLEngine On
77	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN$
78	SSLCertificateKeyFile conf/ssl.key/server.key
79	SSLCertificateFile conf/ssl.crt/server.crt
80	ServerName your.domain.com
81	ServerAlias domain.com
82	DocumentRoot /var/lib/www/domain.com
83	CustomLog /var/log/apache/access_log.your.domain.com combined
84	ErrorLog /var/log/apache/error_log.your.domain.com
85	SetEnvIf User-Agent ".MSIE." \
86	nokeepalive ssl-unclean-shutdown \
87	downgrade-1.0 force-response-1.0
88	<Files ~ "\.(cgi\|shtml\|phtml\|php3?\|php\|inc)$">
89	SSLOptions +StdEnvVars
90	</Files>
91	</VirtualHost>
92
93
94
95	##################################################
96	# modify apache init script to start with ssl
97	# ('apachectl startssl' won't works at debian/testing for some reason....)
98	#
99
100	- edit /etc/init.d/apache:
101
102	replace start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON
103
104	with start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- DSSL
105
106	in the WHOLE script!
107
108
109	##################################################
110	# final start apache..
111	- run
112	/etc/init.d/apache start
113
114	and you are in business... ;)
115
116
117	##################################################
118	# Relative HTTP/HTTPS switching
119	#
120	Switch from HTTP to HTTPS and vice versa by using only relative URLs
121	Benefit: Absolute URLs are avioded and this way the website is more flexible
122
123	#-------- sample httpd.conf snip -------------------------
124	RewriteEngine on
125	RewriteCond %{HTTPS} =on
126	RewriteRule ^/(.*):scheme=toggle$ http://%{SERVER_NAME}/$1 [R,L]
127	RewriteCond %{HTTPS} !=on
128	RewriteRule ^/(.*):scheme=toggle$ https://%{SERVER_NAME}/$1 [R,L]
129	RewriteRule ^/(.*):scheme=(http\|https)$ $2://%{SERVER_NAME}/$1 [R,L]
130	#------------- end snip -------------------------------------
131
132	#-------- sample page.html snip -------------------------
133	<a href="page.html:scheme=toggle">
134	<a href="page.html:scheme=https">
135	<a href="page.html:scheme=http">
136	#------------- end snip -------------------------------------
137
138
139	##################################################
140	# Resources (read for further configurations):
141	#
142
143	Security Solutions with SSL http://www.modssl.org/docs/apachecon2001/
144
145	Apache.org http://www.apache.org
146
147	modssl.org http://www.modssl.org
148
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26