Reload this Page Apache + SSL Howto
User Name Remember Me?
Password
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto | Site FAQ | Sitemap | Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
By SiegeX at 2004-09-07 02:02
If you ever do online banking and notice all the URL's start with https:// and have a lockpad symbol on the browser, well thats SSL.
In order to tell Apache
to include SSL support we need to edit the /etc/apache/httpd.conf file and scroll ALL the way to the bottom. This is where we will uncomment the following line.
Code:
change this:
#Include /etc/apache/mod_ssl.conf
to this:
Include /etc/apache/mod_ssl.conf
NOTE: The above assumes that your distribution has shipped with mod_ssl and httpd installed. If you installed from source or your distribution does not contain both of these, this LinuxAnswer will not apply to you.
Once that is done you need to make a simple edit to the /etc/rc.d/rc.httpd file so that the apache server knows you want to startup with SSL support.
Code:
change this:
'start')
/usr/sbin/apachectl start ;;
to this:
'start')
/usr/sbin/apachectl startssl ;;
Now all thats left is to setup the SSL Certs. If you really don't care about having official certs, Slackware comes with pre-made ones, I use these, but if you ran a legit production webserver you would probably want to spend the money and have real certs made. You also have the option to create your own self-signed certs and if you are interested in that, jump all the way to the bottom of this Howto. Anyway, to use the premade certs run the following commands and say yes to overwrite:
Code:
cp /etc/apache/ssl.crt/snakeoil-rsa.crt /etc/apache/ssl.crt/server.crt
cp /etc/apache/ssl.key/snakeoil-rsa.key /etc/apache/ssl.key/server.key
Now all thats left to do is restart the apache server
:
Code:
/etc/rc.d/rc.httpd restart
If you want to make sure that SSL is working correctly run this command:
Code:
netstat -tpan | grep 443
If everything is working correctly, you should get output that looks like the following:
Code:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27426/httpd
If you don't get any output whatsoever then something went wrong and you need to look at your /var/log/apache/error_log file.
Now that SSL is all set up, you are going to want to tell Apache what to serve up when somebody connects using https://. This is done by the VirtualHost directive and the one pertaining to SSL connections can be found in the /etc/apache/mod_ssl.conf file. The default looks like this and you will certainly need to change some of the settings.
Code:
# General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName new.host.name
ServerAdmin you@your.address
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
And finally if you want to create your own self-signed certs and not use the ones that come with Slackware thats easy to do as well. I got the following commands from http://www.apache-ssl.org/#FAQ
Code:
Step one - create the key and request:
openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1825
Step four - copy the cert and key to the appropriate places
cp new.cert.cert /etc/apache/ssl.crt/server.crt
cp new.cert.key /etc/apache/ssl.key/server.key
A few things to note:
When asked for Common Name in step one, be sure to enter the FQDN of your webserver ie www.mywebserver.com
When asked for A challenge password in step one, go ahead and just press enter
If you don't remove the passphrase from the key in Step two, you will be prompted to enter a password every time you run /etc/rc.d/rc.httpd start. This means if your box reboots for some reason, your webserver won't start unless you are there to provide the passphrase.
‹ A simplified view of MPMs in ApacheupBasic Samba Network File Sharing ›
No comments:
Post a Comment