Httpd SSL Configuration: Difference between revisions
No edit summary |
|||
| Line 53: | Line 53: | ||
Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf <tt>Listen</tt>: | Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf <tt>Listen</tt>: | ||
< | <syntaxhighlight lang='text'> | ||
Listen 1.2.3.4:443 https | Listen 1.2.3.4:443 https | ||
</ | </syntaxhighlight> | ||
Note that the main configuration file might still contain a "Listen" directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple Listen directives are legal. | Note that the main configuration file might still contain a "Listen" directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple Listen directives are legal. | ||
| Line 65: | Line 65: | ||
By default, the SSL logs level and location is different: | By default, the SSL logs level and location is different: | ||
< | <syntaxhighlight lang='text'> | ||
ErrorLog logs/ssl_error_log | ErrorLog logs/ssl_error_log | ||
TransferLog logs/ssl_access_log | TransferLog logs/ssl_access_log | ||
LogLevel warn | LogLevel warn | ||
</ | </syntaxhighlight> | ||
==localhost Key and Certificate== | ==localhost Key and Certificate== | ||
| Line 81: | Line 81: | ||
Add custom secure virtual hosts at the bottom of ssl.conf: | Add custom secure virtual hosts at the bottom of ssl.conf: | ||
< | <syntaxhighlight lang='text'> | ||
<VirtualHost 1.2.3.4:443> | <VirtualHost 1.2.3.4:443> | ||
ServerName praetorian.novaordis.com | ServerName praetorian.novaordis.com | ||
| Line 90: | Line 90: | ||
DocumentRoot "/var/www/praetorian.novaordis.com" | DocumentRoot "/var/www/praetorian.novaordis.com" | ||
</VirtualHost> | </VirtualHost> | ||
</ | </syntaxhighlight> | ||
GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238 | GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238 | ||
Revision as of 21:20, 29 March 2021
External
- http://httpd.apache.org/docs/2.4/ssl/
- http://wiki.centos.org/HowTos/Https
- http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/
Internal
Overview
In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a virtual host that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key.
Procedure
Obtain Certificate
Obtain a commercial certificate signed by a known CA or generate a self-signed certificate.
This is how you generate a self-signed certificate.
Install mod_ssl and openssl
yum install mod_ssl yum install openssl
By default, this ends up installing mod_ssl.so in /etc/httpd/modules. It also creates the default SSL configuration file ssl.conf in /etc/httpd/conf.d.
ssl.conf
ssl.conf must be included explicitly, yum installation, while it creates, it does not include it. However, usually the main httpd.conf configuration file contains an "include all conf.d" line:
IncludeOptional conf.d/*.conf
which should take care of ssl.conf inclusion. More about IncludeOptional.
If not present, explicitly add the following Include directive above the virtual host area:
Include conf.d/ssl.conf
ssl.conf contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See Secure Virtual Hosts
Listen
Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf Listen:
Listen 1.2.3.4:443 https
Note that the main configuration file might still contain a "Listen" directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple Listen directives are legal.
More details about Listen are available here Listen.
Log Location
By default, the SSL logs level and location is different:
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
localhost Key and Certificate
TODO: Do I need it?. If I reach the conclusion I don't, update Restoring_MediaWiki_from_Backup#localhost_Key_and_Certificate.
TODO: Procedure to generate and install.
Secure Virtual Hosts
Add custom secure virtual hosts at the bottom of ssl.conf:
<VirtualHost 1.2.3.4:443>
ServerName praetorian.novaordis.com
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/praetorian.novaordis.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/praetorian.novaordis.com.key"
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt"
DocumentRoot "/var/www/praetorian.novaordis.com"
</VirtualHost>
GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238
Site Private Key
Place the private key under /etc/pki/tls/private.
Name it <secure-site-FQN>.key. Example: praetorian.novaordis.com.key.
Make it available to apache:apache and only it:
chown apache:apache praetorian.novaordis.com.key chmod go-rwx praetorian.novaordis.com.key
Site Certificate
Place the certificate file under /etc/pki/tls/certs.
Name it <secure-site-FQN>.crt. Example: praetorian.novaordis.com.crt.
Site Chain/Intermediate Certificate
Most trusted certificates require that you install at least one other intermediate/chain certificate on the server, to link your certificate up to the trusted source. For example, the GoDaddy-issued certificates require that.
Place the intermediate/chain certificate file under /etc/pki/tls/certs.
Name it <secure-site-FQN>-godaddy-chain.crt. Example: praetorian.novaordis.com-godaddy-chain.crt.
Specify the path to the certificate chain under the corresponding secure virtual host as:
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt"
Note that for Apache 2.4.8 and higher you need to use SSLCACertificatePath instead.
Test Certificate
Use all of below. Testing is a good idea, test may reveal weaknesses and vulnerabilities. If everything was installed correctly, the checks should be successful.
Other Details
- Protect against the POODLE Attack.
- Disable support for RC4 Cipher
- Support Forward Secrecy with the reference browsers.
Troubleshooting
"SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty"
If I get an error message similar to SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty, and the certificate file exists, is readable and it is a valid certificate, the cause is related to selinux misconfiguration.