Anyone got a good guide to enabling https on apache2?

[johannlo]

I've got a basic apache2 setup running w/ multiple virtual hosts, would like to try SSL (i.e. https).

I've got the IP networking side well and truly sorted but I need guidance on the apache/ssl config side. I have installed mod_ssl.

Does anyone have a good guide for Fedora that's recent? All I can find are ubuntu and old fedora 'core' guides, so not sure how much applies to F12. The best ones I can find so far is

https://help.ubuntu.com/community/fo...er/apache2/SSL

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Any help appreciated. Specifically I'm looking for

- generating SSL cert - also I assume this is different from my SSH keys?
- httpd.conf editing required.

cheers

[leigh123linux]

Try this

http://forums.fedoraforum.org/showthread.php?t=94257

[johannlo]

Thanks, note that guide has some out of date paths for the certificate gen bit, specifically this is what I had to change

openssl rsa -in temp.key -out /etc/pki/tls/private/genie.key
openssl req -new -key /etc/pki/tls/private/genie.key -x509 -out genie.crt -days 365
rm ./temp.key
chmod 600 /etc/pki/tls/private/genie.key /etc/pki/tls/certs/genie.crt



After I do this, for the httpd.conf bit, do I just add a new virtualhost pointing to *:443?

Or do I do this in the ssl.conf file? The guides I'm reading are not clear unfortunately

[leigh123linux]

Quote:

Originally Posted by johannlo

Thanks, note that guide has some out of date paths for the certificate gen bit, specifically this is what I had to change

openssl rsa -in temp.key -out /etc/pki/tls/private/genie.key
openssl req -new -key /etc/pki/tls/private/genie.key -x509 -out genie.crt -days 365
rm ./temp.key
chmod 600 /etc/pki/tls/private/genie.key /etc/pki/tls/certs/genie.crt



After I do this, for the httpd.conf bit, do I just add a new virtualhost pointing to *:443?

Or do I do this in the ssl.conf file? The guides I'm reading are not clear unfortunately

Just edit /etc/httpd/conf.d/ssl.conf and open port 443 in your firewall config.

Quote:

Change your_hostname for your real hostname. All that's left is to edit /etc/httpd/conf.d/ssl.conf and change the certificates to use your_hostname.crt and your_hostname.key

[johannlo]

Thanks, I did all that (pointing ssl.conf to my key names) but still no dice.

My httpd.conf is far from out of the box though as I have been mucking around w/ virtual servers and such, also there is no entry corresponding to *, its all *:80 so I will go down that path (ie creating a virtual server on *.443). I was more wondering if there were additional lines required as well like 'ENABLE MOD_SSL' or something similar.

[leigh123linux]

Well I have just ran through the commands and it works ok here.

Code:

yum install httpd system-config-httpd mod_ssl
chkconfig httpd on
cd /etc/pki/tls/certs/
openssl genrsa -aes256 -out temp.key 2048
openssl rsa -in temp.key -out ../private/leigh123.homelinux.com.key
openssl req -new -key ../private/leigh123.homelinux.com.key  -x509 -out leigh123.homelinux.com.crt -days 365
rm ./temp.key
chmod 600 ../private/leigh123.homelinux.com.key leigh123.homelinux.com.crt
nano /etc/httpd/conf.d/ssl.conf

and change ssl.conf ( part of file displayed ) to

Code:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/leigh123.homelinux.com.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/leigh123.homelinux.com.key

#   Server Certificate Chain:

And to finish it

Code:

service httpd restart

[Firewing1]

Quote:

Originally Posted by johannlo

Thanks, note that guide has some out of date paths for the certificate gen bit, specifically this is what I had to change

openssl rsa -in temp.key -out /etc/pki/tls/private/genie.key
openssl req -new -key /etc/pki/tls/private/genie.key -x509 -out genie.crt -days 365
rm ./temp.key
chmod 600 /etc/pki/tls/private/genie.key /etc/pki/tls/certs/genie.crt



After I do this, for the httpd.conf bit, do I just add a new virtualhost pointing to *:443?

Or do I do this in the ssl.conf file? The guides I'm reading are not clear unfortunately

This is the kind of think I wish people PM'd me about more often... I'll update the guide later today

[johannlo]

OK I fixed it, I had to move my virtual hosts over to the ssl.conf file instead of the main httpd.conf

Now I have a more annoying question: how do I do it so some virtual hosts are accessible via port 80 and others ONLY via 443?

I've turned off port 80 en masse in httpd.conf for now but I want my virtual host in httpd.conf to be accessible via port 80.

If I leave port 80 on, I seem to be able to get to my other virtual host even though its only in the ssl.conf file. It must be the defaults for httpd.conf to allow access to the entire /var/www/html - how do I block this off?

---------- Post added at 11:18 PM CST ---------- Previous post was at 11:12 PM CST ----------

OK I'm an idiot I answered my own question.

My fix: put 'allow none' in the default httpd.conf, and then set up a separate virtual host allowing only the desired servername.


You see, I have my ISP's 'default' DNS name (i have static IP) on my private pages, which enable me to control my bittorrent/usenet via http. I also stream music via ampache. Obviously this I want to keep private.

I also have a DNS name held separately that is the one I publicly give out, that only points to the 'public' section of my server. Hence why I wanted this config.

Thanks leigh and firewing for your help (how do you guys find the time?!?!)