?
Solved

Enable SSL in Apache 2.2.4 after already installed

Posted on 2007-11-20
6
Medium Priority
?
6,616 Views
Last Modified: 2013-12-06
Hello all, I hope someone can helpme with this one because I have been banging my head all day long.

I have a server running Apache 2.2.4 that came installed with Fedora core 6.

I understand that I can enable Apache with mod_ssl during the install with ./configure --enable-ssl, but I already have apache configured and running in production.

I know that you can dynamically load modules with LoadModules , but I can't find a mod_ssl.so for Apache 2.2.4 .

I need specific instructions as to how to enable ssl in apache so that https://my.domain.com works


0
Comment
Question by:pjinlaok
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:dlan75
ID: 20331213
Hi,
Have you looked here already? :http://httpd.apache.org/docs/2.2/ssl/
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20331730
I've included a working declaration from one of the Fedora webserver to which I have access - you will also need to include a listen directive on port 443, and be sure to include mod_ssl in the list of modules to be loaded.  My included example has been adjusted to a generic form - you will have to adjust it for your own domain/host, as well as your own local certificate locations.

Cheers,
-Jon

<VirtualHost my.domain.com:443>
    ServerAdmin webmaster@my.domain.com
    DocumentRoot /web/my.domain.com/public_html
    ServerName my.domain.com:443
    ErrorLog /web/my.domain.com/logs/error_log
    CustomLog /web/my.domain.com/logs/access_log common
    ScriptAlias /cgi-bin/ "/web/my.domain.com/cgi-bin/"
    Alias /images/ "/web/my.domain.com/images/"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Open in new window

0
 

Author Comment

by:pjinlaok
ID: 20352346
Hello Captain,

Thanks for your posting. I actually ran out of time and had to do a new installation of Apache 2.0.57 into /wwwroot .

I add this line to httpd.com to enable ssl:
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Then I edit the ssl.conf file.


Are you saying that I can simply add the SSL configuration as a vhost with port 443?

Listen 443

and

<VirtualHost my.domain.com:443>

#   General setup for the virtual host
  JkMount /* worker1
    JkMount /*.jsp worker1
    JkMount /*.html worker1
    ServerName web2.mydomain.com:443
    ServerAlias 10.0.1.252
    ErrorLog /etc/httpd/logs/web2.mydomain.com_error_log
    SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
       </Files>
       SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/web2.mydomain.com_access_log combined
</VirtualHost>

JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile     /etc/httpd/logs/mod_jk.log
JkShmFile     /etc/httpd/logs/jk-runtime-status
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkAutoAlias /opt/Alfresco/tomcat/webapps/appname
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 16

Accepted Solution

by:
The--Captain earned 2000 total points
ID: 20387714
Did your above proposed config work for you?  Just curious ;-)

>Are you saying that I can simply add the SSL configuration as a vhost with
>port 443?

I just took that config from a working production box - IIRC from the initial setup, you definitely need to listen on port 443, enable the SSL engine, and have a host (or virtual host) definition that defines your SSL parameters.  I can't quite remember why I defined it as a vhost, since you can only have one https server per IP, but I think it is due to the fact that *all* sites on that box are defined as vhosts.

In any case, you also need to have correct DNS (or at least local /etc/hosts file entries) for your site declaration or apache might not behave as expected.  If you need me to provide specific data from the same production box, I can...

BTW, I'm not sure what's up with your JK... directives, but my example contained a DocumentRoot directive, which I think is necessary (but not included in your post) - am I missing something, being obtuse, or did you not include that for a reason of which I am unaware?

Cheers,
-Jon
0
 

Author Comment

by:pjinlaok
ID: 20397716
Hi Jon,


Currently I am still running the site off of the new apache 2.0.57 in /wwwroot and I haven't tested apache 2.2 yet. I did some more reading and it looks like the configuration that you gave me is the correct way to do it in apache 2.2.

I guess you no longer need an ssl.conf file in apache 2.2.

I am going to test it in development this week.


FYI the JKMount is used for configuration of mod_jk. It forwards all tomcat requests to the tomcat server. We use apache to answer all http port 80 requests so that we can have a normal looking web url (ie www.mydomain.com instead of https://www.mydomain.com:8090/directory )

Tomcat it actually serving up all the content.

I think I will have to add an SSL certificate to tomcat as well to secure the entire site.


Thanks for your help. I will accept your answer and I will post any further updates on  my findings.


Cheers

Peter  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20398637
>I guess you no longer need an ssl.conf file

AFAIK, no one ever *needs* an ssl.conf file (since it's typically just included using a directive in the main config file).  You really don't even need a file called httpd.conf (of course, you *do* need a file somewhere that has your config of which you have made apache aware, but you can call it whatever you want, and put it wherever you want).

Let us know how it goes...

Cheers,
-Jon

P.S.  I think I defined the https site as a vhost in case we ever assigned more IPs to the box - keeps things easy if all you have to do is modify a few parameters of a copied entry.


0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question