Solved

Enable SSL in Apache 2.2.4 after already installed

Posted on 2007-11-20
6
6,600 Views
Last Modified: 2013-12-06
Hello all, I hope someone can helpme with this one because I have been banging my head all day long.

I have a server running Apache 2.2.4 that came installed with Fedora core 6.

I understand that I can enable Apache with mod_ssl during the install with ./configure --enable-ssl, but I already have apache configured and running in production.

I know that you can dynamically load modules with LoadModules , but I can't find a mod_ssl.so for Apache 2.2.4 .

I need specific instructions as to how to enable ssl in apache so that https://my.domain.com works


0
Comment
Question by:pjinlaok
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:dlan75
ID: 20331213
Hi,
Have you looked here already? :http://httpd.apache.org/docs/2.2/ssl/
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20331730
I've included a working declaration from one of the Fedora webserver to which I have access - you will also need to include a listen directive on port 443, and be sure to include mod_ssl in the list of modules to be loaded.  My included example has been adjusted to a generic form - you will have to adjust it for your own domain/host, as well as your own local certificate locations.

Cheers,
-Jon

<VirtualHost my.domain.com:443>
    ServerAdmin webmaster@my.domain.com
    DocumentRoot /web/my.domain.com/public_html
    ServerName my.domain.com:443
    ErrorLog /web/my.domain.com/logs/error_log
    CustomLog /web/my.domain.com/logs/access_log common
    ScriptAlias /cgi-bin/ "/web/my.domain.com/cgi-bin/"
    Alias /images/ "/web/my.domain.com/images/"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Open in new window

0
 

Author Comment

by:pjinlaok
ID: 20352346
Hello Captain,

Thanks for your posting. I actually ran out of time and had to do a new installation of Apache 2.0.57 into /wwwroot .

I add this line to httpd.com to enable ssl:
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Then I edit the ssl.conf file.


Are you saying that I can simply add the SSL configuration as a vhost with port 443?

Listen 443

and

<VirtualHost my.domain.com:443>

#   General setup for the virtual host
  JkMount /* worker1
    JkMount /*.jsp worker1
    JkMount /*.html worker1
    ServerName web2.mydomain.com:443
    ServerAlias 10.0.1.252
    ErrorLog /etc/httpd/logs/web2.mydomain.com_error_log
    SSLEngine on
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /etc/httpd/conf/ssl.crt/example.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key/example.key
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
       </Files>
       SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/web2.mydomain.com_access_log combined
</VirtualHost>

JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile     /etc/httpd/logs/mod_jk.log
JkShmFile     /etc/httpd/logs/jk-runtime-status
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkAutoAlias /opt/Alfresco/tomcat/webapps/appname
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 20387714
Did your above proposed config work for you?  Just curious ;-)

>Are you saying that I can simply add the SSL configuration as a vhost with
>port 443?

I just took that config from a working production box - IIRC from the initial setup, you definitely need to listen on port 443, enable the SSL engine, and have a host (or virtual host) definition that defines your SSL parameters.  I can't quite remember why I defined it as a vhost, since you can only have one https server per IP, but I think it is due to the fact that *all* sites on that box are defined as vhosts.

In any case, you also need to have correct DNS (or at least local /etc/hosts file entries) for your site declaration or apache might not behave as expected.  If you need me to provide specific data from the same production box, I can...

BTW, I'm not sure what's up with your JK... directives, but my example contained a DocumentRoot directive, which I think is necessary (but not included in your post) - am I missing something, being obtuse, or did you not include that for a reason of which I am unaware?

Cheers,
-Jon
0
 

Author Comment

by:pjinlaok
ID: 20397716
Hi Jon,


Currently I am still running the site off of the new apache 2.0.57 in /wwwroot and I haven't tested apache 2.2 yet. I did some more reading and it looks like the configuration that you gave me is the correct way to do it in apache 2.2.

I guess you no longer need an ssl.conf file in apache 2.2.

I am going to test it in development this week.


FYI the JKMount is used for configuration of mod_jk. It forwards all tomcat requests to the tomcat server. We use apache to answer all http port 80 requests so that we can have a normal looking web url (ie www.mydomain.com instead of https://www.mydomain.com:8090/directory )

Tomcat it actually serving up all the content.

I think I will have to add an SSL certificate to tomcat as well to secure the entire site.


Thanks for your help. I will accept your answer and I will post any further updates on  my findings.


Cheers

Peter  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20398637
>I guess you no longer need an ssl.conf file

AFAIK, no one ever *needs* an ssl.conf file (since it's typically just included using a directive in the main config file).  You really don't even need a file called httpd.conf (of course, you *do* need a file somewhere that has your config of which you have made apache aware, but you can call it whatever you want, and put it wherever you want).

Let us know how it goes...

Cheers,
-Jon

P.S.  I think I defined the https site as a vhost in case we ever assigned more IPs to the box - keeps things easy if all you have to do is modify a few parameters of a copied entry.


0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question