Solved

Enable SSL in Apache 2.2.4 after already installed

Posted on 2007-11-20
6
6,570 Views
Last Modified: 2013-12-06
Hello all, I hope someone can helpme with this one because I have been banging my head all day long.

I have a server running Apache 2.2.4 that came installed with Fedora core 6.

I understand that I can enable Apache with mod_ssl during the install with ./configure --enable-ssl, but I already have apache configured and running in production.

I know that you can dynamically load modules with LoadModules , but I can't find a mod_ssl.so for Apache 2.2.4 .

I need specific instructions as to how to enable ssl in apache so that https://my.domain.com works


0
Comment
Question by:pjinlaok
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:dlan75
ID: 20331213
Hi,
Have you looked here already? :http://httpd.apache.org/docs/2.2/ssl/
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20331730
I've included a working declaration from one of the Fedora webserver to which I have access - you will also need to include a listen directive on port 443, and be sure to include mod_ssl in the list of modules to be loaded.  My included example has been adjusted to a generic form - you will have to adjust it for your own domain/host, as well as your own local certificate locations.

Cheers,
-Jon

<VirtualHost my.domain.com:443>

    ServerAdmin webmaster@my.domain.com

    DocumentRoot /web/my.domain.com/public_html

    ServerName my.domain.com:443

    ErrorLog /web/my.domain.com/logs/error_log

    CustomLog /web/my.domain.com/logs/access_log common

    ScriptAlias /cgi-bin/ "/web/my.domain.com/cgi-bin/"

    Alias /images/ "/web/my.domain.com/images/"

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt

    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">

        SSLOptions +StdEnvVars

    </Files>

    SetEnvIf User-Agent ".*MSIE.*" \

             nokeepalive ssl-unclean-shutdown \

             downgrade-1.0 force-response-1.0

    CustomLog logs/ssl_request_log \

              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Open in new window

0
 

Author Comment

by:pjinlaok
ID: 20352346
Hello Captain,

Thanks for your posting. I actually ran out of time and had to do a new installation of Apache 2.0.57 into /wwwroot .

I add this line to httpd.com to enable ssl:
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Then I edit the ssl.conf file.


Are you saying that I can simply add the SSL configuration as a vhost with port 443?

Listen 443

and

<VirtualHost my.domain.com:443>

#   General setup for the virtual host
  JkMount /* worker1
    JkMount /*.jsp worker1
    JkMount /*.html worker1
    ServerName web2.mydomain.com:443
    ServerAlias 10.0.1.252
    ErrorLog /etc/httpd/logs/web2.mydomain.com_error_log
    SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
       </Files>
       SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/web2.mydomain.com_access_log combined
</VirtualHost>

JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile     /etc/httpd/logs/mod_jk.log
JkShmFile     /etc/httpd/logs/jk-runtime-status
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkAutoAlias /opt/Alfresco/tomcat/webapps/appname
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 20387714
Did your above proposed config work for you?  Just curious ;-)

>Are you saying that I can simply add the SSL configuration as a vhost with
>port 443?

I just took that config from a working production box - IIRC from the initial setup, you definitely need to listen on port 443, enable the SSL engine, and have a host (or virtual host) definition that defines your SSL parameters.  I can't quite remember why I defined it as a vhost, since you can only have one https server per IP, but I think it is due to the fact that *all* sites on that box are defined as vhosts.

In any case, you also need to have correct DNS (or at least local /etc/hosts file entries) for your site declaration or apache might not behave as expected.  If you need me to provide specific data from the same production box, I can...

BTW, I'm not sure what's up with your JK... directives, but my example contained a DocumentRoot directive, which I think is necessary (but not included in your post) - am I missing something, being obtuse, or did you not include that for a reason of which I am unaware?

Cheers,
-Jon
0
 

Author Comment

by:pjinlaok
ID: 20397716
Hi Jon,


Currently I am still running the site off of the new apache 2.0.57 in /wwwroot and I haven't tested apache 2.2 yet. I did some more reading and it looks like the configuration that you gave me is the correct way to do it in apache 2.2.

I guess you no longer need an ssl.conf file in apache 2.2.

I am going to test it in development this week.


FYI the JKMount is used for configuration of mod_jk. It forwards all tomcat requests to the tomcat server. We use apache to answer all http port 80 requests so that we can have a normal looking web url (ie www.mydomain.com instead of https://www.mydomain.com:8090/directory )

Tomcat it actually serving up all the content.

I think I will have to add an SSL certificate to tomcat as well to secure the entire site.


Thanks for your help. I will accept your answer and I will post any further updates on  my findings.


Cheers

Peter  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20398637
>I guess you no longer need an ssl.conf file

AFAIK, no one ever *needs* an ssl.conf file (since it's typically just included using a directive in the main config file).  You really don't even need a file called httpd.conf (of course, you *do* need a file somewhere that has your config of which you have made apache aware, but you can call it whatever you want, and put it wherever you want).

Let us know how it goes...

Cheers,
-Jon

P.S.  I think I defined the https site as a vhost in case we ever assigned more IPs to the box - keeps things easy if all you have to do is modify a few parameters of a copied entry.


0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now