Httpd SSL Configuration
External
- http://httpd.apache.org/docs/2.4/ssl/
- http://wiki.centos.org/HowTos/Https
- http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/
Internal
Overview
In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a virtual host that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key.
Procedure
Install mod_ssl and openssl
yum install mod_ssl yum install openssl
By default, this ends up installing mod_ssl.so in /etc/httpd/modules. It also creates the default SSL configuration file ssl.conf in /etc/httpd/conf.d.
ssl.conf
ssl.conf must be included. Usually the main httpd.conf configuration file contains an "include all conf.d" line:
IncludeOptional conf.d/*.conf
which should take care of ssl.conf inclusion. More about IncludeOptional.
If not present, explicitly add the following Include directive above the virtual host area:
Include conf.d/ssl.conf
ssl.conf contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See Secure Virtual Hosts
Listen
Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf Listen:
Listen 1.2.3.4:443 https
More details about Listen are available here Listen.
Log Location
By default, the SSL logs level and location is different:
ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn
Secure Virtual Hosts
Add custom secure virtual hosts at the bottom of ssl.conf:
<VirtualHost 1.2.3.4:443> ServerName praetorian.novaordis.com SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/praetorian.novaordis.com.crt" SSLCertificateKeyFile "/etc/pki/tls/private/praetorian.novaordis.com.key" DocumentRoot "/var/www/praetorian.novaordis.com" </VirtualHost>
GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238
Secure Site Private Key
Place the private key under /etc/pki/tls/private.
Name it <secure-site-FQN>.key. Example: praetorian.novaordis.com.key.
Make it available to apache:apache and only it:
chown apache:apache praetorian.novaordis.com.key chmod go-rwx praetorian.novaordis.com.key
Secure Site Certificate
Place the certificate file under /etc/pki/tls/certs.
Name it <secure-site-FQN>.crt. Example: praetorian.novaordis.com.crt.
Test Certificate
Use https://casecurity.ssllabs.com, https://www.sslshopper.com/ssl-checker.html or similar.