SSL Install Method

The instructions in this HOWTO are being replaced with more advanced documentation which may be found in the official Server Guide

Note: The server 7.10 guide for SSL has bugs/errors in the documentations and needs to be fixed.e.g. +CompatEnvVars

Apache2 SSL

This guide will help you setup SSL with apache2.

For an introduction to OpenSSL see: https://help.ubuntu.com/community/OpenSSL

The following bugs are related to this documentation:

Note:The bugs listed above refer to the depreciation of the package apache2-ssl-certificate. This package creates SSL certificates but has been dropped as of feisty and above. Most documentions related to Apache and SSL has required apache2-ssl-certificate package and has caused lots of problems getting apache and SSL to work.

Setup up Apache and SSL

Ubuntu 7.10


Select LAMP

tasksel

or

sudo apt-get install apache2

Create a Certificate

sudo apt-get install ssl-cert

sudo mkdir /etc/apache2/ssl

Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

(Answer questions)

Install Module

The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

sudo a2enmod ssl

sudo /etc/init.d/apache2 force-reload

Create virtualhost

Make a copy of the default virtualhost

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Modify it so it looks something like this

sudo nano -w /etc/apache2/sites-available/ssl

NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>

<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>

</virtualhost>

Enable SSL virtualhost

sudo a2ensite ssl

sudo /etc/init.d/apache2 reload

don't forget to modify

sudo nano -w /etc/apache2/sites-available/default

NameVirtualHost *:80
<virtualhost *:80>

Restart Apache server

sudo /etc/init.d/apache2 restart

Ubuntu 7.04


Since Ubuntu 7.04, certificate creation has been changed:

https://bugs.launchpad.net/debian/+source/apache2/+bug/77675/comments/25

Old fashioned way:


Create a certificate which are valid for a year.

sudo apache2-ssl-certificate -days 365

Enable the SSL module

sudo a2enmod ssl

Listen to port 443

echo "Listen 443" | sudo tee -a /etc/apache2/ports.conf

Create and enable the SSL site

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Modify it so it looks something like this

NameVirtualHost *:443
<virtualhost *:443>
        ServerAdmin webmaster@localhost

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem

        DocumentRoot /var/www/
        <directory />
                Options FollowSymLinks
                AllowOverride None
        </directory>

        <directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # Commented out for Ubuntu
                #RedirectMatch ^/$ /apache2-default/
        </directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </directory>

</virtualhost>

...and enable it

sudo a2ensite ssl

don't forget to modify /etc/apache2/sites-available/default

NameVirtualHost *:80
<virtualhost *:80>

Mod rewrite

It's often desirable to force users to access things like webmail via https. This can be accomplished with mod_rewrite.

First you'll have to enable the module

sudo a2enmod rewrite

Then add the following to /etc/apache2/sites-available/default

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]
RewriteLog      "/var/log/apache2/rewrite.log"
RewriteLogLevel 2

Create directory for pidfile; it may be missing

sudo mkdir -p /var/run/apache2
sudo chown -R www-data /var/run/apache2

Don't forget to restart apache

sudo /etc/init.d/apache2 force-reload


CategoryForum

forum/server/apache2/SSL (last edited 2009-04-30 22:06:17 by fooka)