Difference between revisions of "Apache 2 HTTPS virtual host"

(Created page with "Category:Linux =Create SSL certificate= First of all, you need to create a server certificate. Cf. SSL dedicated document → Create a new server certificate >> see S...")
(No difference)

Revision as of 17:53, 8 August 2014


Create SSL certificate

First of all, you need to create a server certificate. Cf. SSL dedicated document → Create a new server certificate

>> see SSL server


Enable SSL module

You have to either copy or create symlinks for server certificate.

To avoid rights collision I'm using a copy operation. However I know from past experience that symLinks work very well if you set the correct rights.


-Note-

You MUST use the NON-ENCRYPTED private key if you want to start Apache2 automatically on each reboot.


Copy certificates

cp /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
cp /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key


Alternative: Symlinks to /srv/ssl/

ln -s /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
ln -s /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key


Activate the SSL module

a2enmod ssl


Prepare virtual host (optional)

Create virtual host folder

mkdir -p /var/www/myServer-ssl
cp /var/www/index.html /var/www/myServer-ssl
chown -R www-data:www-data /var/www/myServer-ssl


Prepare the log files (optional)

# That should already exists from before
mkdir -p /var/log/apache2/myServer

# Create *-ssl.log
touch /var/log/apache2/myServer/error-ssl.log
touch /var/log/apache2/myServer/access-ssl.log
chmod -R 660 /var/log/apache2/myServer/*
chown -R www-data:www-data /var/log/apache2/myServer/*


Create a default "/var/www/myServer-ssl/index.html" to check your virtual host.

If you'd like you can use this ultra-simple file [1]

cd /var/www/myServer-ssl/
wget http://daxiongmao.eu/wiki_upload_files/apache2/index.html
chown www-data:www-data index.html



Virtual host declaration

You have 2 possibilities:

  • Update your current virtual host (recommended)
  • Create a new one, only for the SSL virtual host


Update non-ssl V.Host configuration

vim /etc/apache2/sites-available/myServer


!! Adjust the settings to your own configuration !!

# Secure web server
<VirtualHost _default_:443>
<VirtualHost 192.168.0.100:443>		   → Choose the best options for your needs
<VirtualHost *:443>

	#############################
        # Server main properties
	#############################

	ServerName		myServer
	ServerAlias		www.myServer *.myServer
	ServerAdmin		webmaster@domain
	
	# Logs settings
	LogLevel		Warn
	CustomLog		${APACHE_LOG_DIR}/myServer/access-ssl.log combined
	ErrorLog		${APACHE_LOG_DIR}/myServer/error-ssl.log

        # Enable SSL
        SSLEngine               	On
        SSLCertificateFile      	/etc/apache2/webServer.pem
        SSLCertificateKeyFile   	/etc/apache2/webServer.key

	#############################
        # Root folder properties
	#############################
	DocumentRoot	/var/www/myServer-ssl


        # SECURITY: forbid access to .htaccess so no outsider can ever change it
        <Files ~ "^\.ht">
                ## Old Apache2 (before 2.4) syntax
                Order allow,deny
                deny from all

                ## Apache 2.4 syntax
                Require all denied
        </Files>

        # Restrict access to server root
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Require all denied
        </Directory>

        # Virtual host root directory
	<Directory /var/www/myServer-ssl>
                Require all granted
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		
                ## Old Apache2 (before 2.4) syntax
		Order allow,deny
		allow from all
                
                ## Apache 2.4
                Require all granted  
	</Directory>


	#############################
        # Other configuration
        # Alias, proxy redirections, CGI scripts, Directory, etc.
	#############################

	Alias 	/phpsec   /var/somewhere/phpsecinfo
	<Location /phpsec >
                ## Old apache 2 (before 2.4) 
		order deny,allow
		allow from all
		Allow from 127.0.0.1 192.168.1.0/24

                ## Apache 2.4
		require local
		require ip 192.168.1
                require host dev.daxiongmao.eu
        </Location>
</VirtualHost>


Apply changes

Restart the web server

service apache2 restart


Now you can test your server https://myServer


If you've use a self-signed certificate you might see some alert. Just discarded it and process anyway!