Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Enable SSL in Apache 2.2.4 after already installed

Posted on 2007-11-20
6
Medium Priority
?
6,623 Views
Last Modified: 2013-12-06
Hello all, I hope someone can helpme with this one because I have been banging my head all day long.

I have a server running Apache 2.2.4 that came installed with Fedora core 6.

I understand that I can enable Apache with mod_ssl during the install with ./configure --enable-ssl, but I already have apache configured and running in production.

I know that you can dynamically load modules with LoadModules , but I can't find a mod_ssl.so for Apache 2.2.4 .

I need specific instructions as to how to enable ssl in apache so that https://my.domain.com works


0
Comment
Question by:pjinlaok
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:dlan75
ID: 20331213
Hi,
Have you looked here already? :http://httpd.apache.org/docs/2.2/ssl/
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20331730
I've included a working declaration from one of the Fedora webserver to which I have access - you will also need to include a listen directive on port 443, and be sure to include mod_ssl in the list of modules to be loaded.  My included example has been adjusted to a generic form - you will have to adjust it for your own domain/host, as well as your own local certificate locations.

Cheers,
-Jon

<VirtualHost my.domain.com:443>
    ServerAdmin webmaster@my.domain.com
    DocumentRoot /web/my.domain.com/public_html
    ServerName my.domain.com:443
    ErrorLog /web/my.domain.com/logs/error_log
    CustomLog /web/my.domain.com/logs/access_log common
    ScriptAlias /cgi-bin/ "/web/my.domain.com/cgi-bin/"
    Alias /images/ "/web/my.domain.com/images/"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Open in new window

0
 

Author Comment

by:pjinlaok
ID: 20352346
Hello Captain,

Thanks for your posting. I actually ran out of time and had to do a new installation of Apache 2.0.57 into /wwwroot .

I add this line to httpd.com to enable ssl:
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Then I edit the ssl.conf file.


Are you saying that I can simply add the SSL configuration as a vhost with port 443?

Listen 443

and

<VirtualHost my.domain.com:443>

#   General setup for the virtual host
  JkMount /* worker1
    JkMount /*.jsp worker1
    JkMount /*.html worker1
    ServerName web2.mydomain.com:443
    ServerAlias 10.0.1.252
    ErrorLog /etc/httpd/logs/web2.mydomain.com_error_log
    SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
       </Files>
       SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/web2.mydomain.com_access_log combined
</VirtualHost>

JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile     /etc/httpd/logs/mod_jk.log
JkShmFile     /etc/httpd/logs/jk-runtime-status
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkAutoAlias /opt/Alfresco/tomcat/webapps/appname
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 16

Accepted Solution

by:
The--Captain earned 2000 total points
ID: 20387714
Did your above proposed config work for you?  Just curious ;-)

>Are you saying that I can simply add the SSL configuration as a vhost with
>port 443?

I just took that config from a working production box - IIRC from the initial setup, you definitely need to listen on port 443, enable the SSL engine, and have a host (or virtual host) definition that defines your SSL parameters.  I can't quite remember why I defined it as a vhost, since you can only have one https server per IP, but I think it is due to the fact that *all* sites on that box are defined as vhosts.

In any case, you also need to have correct DNS (or at least local /etc/hosts file entries) for your site declaration or apache might not behave as expected.  If you need me to provide specific data from the same production box, I can...

BTW, I'm not sure what's up with your JK... directives, but my example contained a DocumentRoot directive, which I think is necessary (but not included in your post) - am I missing something, being obtuse, or did you not include that for a reason of which I am unaware?

Cheers,
-Jon
0
 

Author Comment

by:pjinlaok
ID: 20397716
Hi Jon,


Currently I am still running the site off of the new apache 2.0.57 in /wwwroot and I haven't tested apache 2.2 yet. I did some more reading and it looks like the configuration that you gave me is the correct way to do it in apache 2.2.

I guess you no longer need an ssl.conf file in apache 2.2.

I am going to test it in development this week.


FYI the JKMount is used for configuration of mod_jk. It forwards all tomcat requests to the tomcat server. We use apache to answer all http port 80 requests so that we can have a normal looking web url (ie www.mydomain.com instead of https://www.mydomain.com:8090/directory )

Tomcat it actually serving up all the content.

I think I will have to add an SSL certificate to tomcat as well to secure the entire site.


Thanks for your help. I will accept your answer and I will post any further updates on  my findings.


Cheers

Peter  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20398637
>I guess you no longer need an ssl.conf file

AFAIK, no one ever *needs* an ssl.conf file (since it's typically just included using a directive in the main config file).  You really don't even need a file called httpd.conf (of course, you *do* need a file somewhere that has your config of which you have made apache aware, but you can call it whatever you want, and put it wherever you want).

Let us know how it goes...

Cheers,
-Jon

P.S.  I think I defined the https site as a vhost in case we ever assigned more IPs to the box - keeps things easy if all you have to do is modify a few parameters of a copied entry.


0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question