Httpd SSL Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 96: Line 96:


Name it <tt><secure-site-FQN>.crt</tt>. Example: praetorian.novaordis.com.crt.
Name it <tt><secure-site-FQN>.crt</tt>. Example: praetorian.novaordis.com.crt.
==Test Certificate==
Use https://casecurity.ssllabs.com or similar.

Revision as of 19:58, 6 January 2016

External

Internal

Overview

In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a virtual host that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key.

Procedure

Install mod_ssl and openssl

yum install mod_ssl
yum install openssl

By default, this ends up installing mod_ssl.so in /etc/httpd/modules. It also creates the default SSL configuration file ssl.conf in /etc/httpd/conf.d.

ssl.conf

ssl.conf must be included. Usually the main httpd.conf configuration file contains an "include all conf.d" line: 

IncludeOptional conf.d/*.conf

which should take care of ssl.conf inclusion. More about IncludeOptional.

If not present, explicitly add the following Include directive above the virtual host area: 

Include conf.d/ssl.conf

ssl.conf contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See Secure Virtual Hosts

Listen

Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf Listen: 

Listen 1.2.3.4:443 https

More details about Listen are available here Listen.

Log Location

By default, the SSL logs level and location is different: 

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

Secure Virtual Hosts

Add custom secure virtual hosts at the bottom of ssl.conf: 

<VirtualHost 1.2.3.4:443>
    ServerName praetorian.novaordis.com
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/praetorian.novaordis.com.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/praetorian.novaordis.com.key"
</VirtualHost>

GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238

Secure Site Private Key

Place the private key under /etc/pki/tls/private.

Name it <secure-site-FQN>.key. Example: praetorian.novaordis.com.key.

Make it available to apache:apache and only it: 

chown apache:apache praetorian.novaordis.com.key
chmod go-rwx praetorian.novaordis.com.key

Secure Site Certificate

Place the certificate file under /etc/pki/tls/certs.

Name it <secure-site-FQN>.crt. Example: praetorian.novaordis.com.crt.

Test Certificate

Use https://casecurity.ssllabs.com or similar.

Retrieved from "https://kb.novaordis.com/index.php?title=Httpd_SSL_Configuration&oldid=680"