Solved

Enable SSL in Apache 2.2.4 after already installed

Posted on 2007-11-20
6
6,578 Views
Last Modified: 2013-12-06
Hello all, I hope someone can helpme with this one because I have been banging my head all day long.

I have a server running Apache 2.2.4 that came installed with Fedora core 6.

I understand that I can enable Apache with mod_ssl during the install with ./configure --enable-ssl, but I already have apache configured and running in production.

I know that you can dynamically load modules with LoadModules , but I can't find a mod_ssl.so for Apache 2.2.4 .

I need specific instructions as to how to enable ssl in apache so that https://my.domain.com works


0
Comment
Question by:pjinlaok
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:dlan75
ID: 20331213
Hi,
Have you looked here already? :http://httpd.apache.org/docs/2.2/ssl/
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20331730
I've included a working declaration from one of the Fedora webserver to which I have access - you will also need to include a listen directive on port 443, and be sure to include mod_ssl in the list of modules to be loaded.  My included example has been adjusted to a generic form - you will have to adjust it for your own domain/host, as well as your own local certificate locations.

Cheers,
-Jon

<VirtualHost my.domain.com:443>
    ServerAdmin webmaster@my.domain.com
    DocumentRoot /web/my.domain.com/public_html
    ServerName my.domain.com:443
    ErrorLog /web/my.domain.com/logs/error_log
    CustomLog /web/my.domain.com/logs/access_log common
    ScriptAlias /cgi-bin/ "/web/my.domain.com/cgi-bin/"
    Alias /images/ "/web/my.domain.com/images/"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Open in new window

0
 

Author Comment

by:pjinlaok
ID: 20352346
Hello Captain,

Thanks for your posting. I actually ran out of time and had to do a new installation of Apache 2.0.57 into /wwwroot .

I add this line to httpd.com to enable ssl:
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Then I edit the ssl.conf file.


Are you saying that I can simply add the SSL configuration as a vhost with port 443?

Listen 443

and

<VirtualHost my.domain.com:443>

#   General setup for the virtual host
  JkMount /* worker1
    JkMount /*.jsp worker1
    JkMount /*.html worker1
    ServerName web2.mydomain.com:443
    ServerAlias 10.0.1.252
    ErrorLog /etc/httpd/logs/web2.mydomain.com_error_log
    SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
       </Files>
       SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/web2.mydomain.com_access_log combined
</VirtualHost>

JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile     /etc/httpd/logs/mod_jk.log
JkShmFile     /etc/httpd/logs/jk-runtime-status
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkAutoAlias /opt/Alfresco/tomcat/webapps/appname
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 20387714
Did your above proposed config work for you?  Just curious ;-)

>Are you saying that I can simply add the SSL configuration as a vhost with
>port 443?

I just took that config from a working production box - IIRC from the initial setup, you definitely need to listen on port 443, enable the SSL engine, and have a host (or virtual host) definition that defines your SSL parameters.  I can't quite remember why I defined it as a vhost, since you can only have one https server per IP, but I think it is due to the fact that *all* sites on that box are defined as vhosts.

In any case, you also need to have correct DNS (or at least local /etc/hosts file entries) for your site declaration or apache might not behave as expected.  If you need me to provide specific data from the same production box, I can...

BTW, I'm not sure what's up with your JK... directives, but my example contained a DocumentRoot directive, which I think is necessary (but not included in your post) - am I missing something, being obtuse, or did you not include that for a reason of which I am unaware?

Cheers,
-Jon
0
 

Author Comment

by:pjinlaok
ID: 20397716
Hi Jon,


Currently I am still running the site off of the new apache 2.0.57 in /wwwroot and I haven't tested apache 2.2 yet. I did some more reading and it looks like the configuration that you gave me is the correct way to do it in apache 2.2.

I guess you no longer need an ssl.conf file in apache 2.2.

I am going to test it in development this week.


FYI the JKMount is used for configuration of mod_jk. It forwards all tomcat requests to the tomcat server. We use apache to answer all http port 80 requests so that we can have a normal looking web url (ie www.mydomain.com instead of https://www.mydomain.com:8090/directory )

Tomcat it actually serving up all the content.

I think I will have to add an SSL certificate to tomcat as well to secure the entire site.


Thanks for your help. I will accept your answer and I will post any further updates on  my findings.


Cheers

Peter  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20398637
>I guess you no longer need an ssl.conf file

AFAIK, no one ever *needs* an ssl.conf file (since it's typically just included using a directive in the main config file).  You really don't even need a file called httpd.conf (of course, you *do* need a file somewhere that has your config of which you have made apache aware, but you can call it whatever you want, and put it wherever you want).

Let us know how it goes...

Cheers,
-Jon

P.S.  I think I defined the https site as a vhost in case we ever assigned more IPs to the box - keeps things easy if all you have to do is modify a few parameters of a copied entry.


0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question