Hi – Welcome back to the Ubuntu Apache LAMP Server Quick Howto.\u00a0 This second part of the series will cover configuring SSL for use with Apache for securing website content.\u00a0 SSL stands for Secure Sockets Layer, and is a method of providing transport layer encryption or TLS (transport layer security).\u00a0 SSL typically uses X.509 digital certificates to perform authentication and encryption functions.\u00a0\u00a0 X.509 is based on public key infrastructure or PKI.\u00a0 PKI is beyond the scope of this article (sounds like a good topic for a future article), but we will at least create a self-signed certificate for instructional purposes here.<\/p>\n
SSL adds a few caveats to Apache configuration.\u00a0 One of those is name based virtual hosting.\u00a0 SSL does not allow the use of name based virtual hosts.\u00a0 From the apache SSL\/TLS Strong Encryption Guide:<\/p>\n
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.<\/em><\/p>\n It comes as rather a shock to learn that it is impossible.<\/em><\/p>\n The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified”<\/em><\/p>\n My experience is that Apache will reject the configuration if you attempt to use named based virtual hosts with SSL.<\/p>\n So, with this in mind, if I have multiple “sites” to serve with SSL, I either use different IP addresses for each site, or I serve one site with multiple directories of content that can be referenced by http:\/\/<site fqdn>\/directory.\u00a0 For example, if I had a site called www.stuff.com and it used SSL, I would add content for different functions\/site at https:\/\/www.stuff.com\/systeminfo or http:\/\/www.stuff.com\/shopping.<\/p>\n Anyway, so, how do we set up SSL?\u00a0 First thing is to make sure its enabled on your LAMP server.\u00a0 To turn on SSL use the following command: In order to use SSL with Apache you must have a certificate.\u00a0 Here is how to make a self signed certificate.\u00a0 Note:\u00a0 Self Signed certs are fine for testing and lab servers, but are not recommended for production environments or internet facing servers.<\/p>\n First, you will need to create a private key file: Next go to the \/etc\/apache2\/sites-available and edit the default-ssl file.\u00a0 This file controls the default SSL virtual host configuration.\u00a0 We will be modifying the following some the lines in the file.\u00a0 As root, find the beginning stanza in the file (with your favorite editor) and it will look something like this:<\/p>\n Change the webmaster@localhost to an email address of the person responsible for the server (this isn’t required, but is probably good practice).<\/p>\n Also, you should probably add a ServerName directive right after the ServerAdmin directive.\u00a0 The ServerName directive should reflect the fully qualified domain name as the server.<\/p>\n The DocumentRoot directive should be changed to \/var\/www-ssl – the directory we made earlier.\u00a0 Lastly, the Directory \/var\/www directive should be changed to Directory \/var\/www-ssl.<\/p>\n Here is the same code snip, modified for a server called www.test.com:<\/p>\n Next, lets find the following couple of lines: Now, its time to test to see if you can connect to the server with SSL. You might want to create an index.html file at the \/var\/www-ssl directory first though. To do this simply create a file with “It works, SSL!” in it as root and save it to the \/var\/www-ssl directory with the name of index.html. Afterwards, open Firefox, and go to https:\/\/<server name or IP address>. You probably get a certificate error, since we created a self-signed cert for our tutorial. You should tell Firefox to trust the certificate. If all goes well, you should see: It works, SSL! at the top of the page.<\/p>\n If all went well, we should have a working Apache server with SSL. At this point, you can place content directly under \/var\/www-ssl or in folders under that directory. If you have some folders under the non-ssl Document root (normally \/var\/www) simply sim-linking those directories to \/var\/www-ssl will publish them via SSL as well.<\/p>\n So, what if it doesn’t work? Generally, this is the result of either SSL not being enabled, or an errror in your default-ssl file. Double check that you have enabled SSL with the a2enmod command, and make sure the default-ssl file is correct, and that it has been enabled with the a2ensite command. Also note, that when enabling SSL for the first time, make sure you restart Apache with the command: If that line is not present, then double check your configuration.<\/p>\n Next time we will focus on the Mysql portion of a LAMP server – look for it soon.<\/p>\n","protected":false},"excerpt":{"rendered":" Hi – Welcome back to the Ubuntu Apache LAMP Server Quick Howto.\u00a0 This second part of the series will cover configuring SSL for use with Apache for securing website content.\u00a0 SSL stands for Secure Sockets Layer, and is a method of providing transport layer encryption or TLS (transport layer security).\u00a0 SSL typically uses X.509 digital […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,10],"tags":[11,36,40,64,71,73],"_links":{"self":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts\/121"}],"collection":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=121"}],"version-history":[{"count":0,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts\/121\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nsudo a2enmod ssl
\n<\/code>
\nfollowed by
\n
\nsudo \/etc\/init.d\/apache2 restart
\n<\/code>
\nAlso – we should create a specific document root directory for the SSL Apache to use.\u00a0 This way, if you have both SSL and non-SSL sites on the same server, not all the non-ssl sites will be published automatically by the SSL definition.
\n
\nsudo mkdir \/var\/www-ssl
\n<\/code>
\nCreating a self signed certificate:<\/p>\n
\n
\nsudo openssl genrsa 1024 > host.key
\nsudo chmod 400 host.key
\n<\/code>
\nNext, you will need to create the certificate:
\n
\nsudo openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
\n<\/code>
\nAfter hitting enter, you will be prompted for several pieces of information that will be encoded into the certificate.\u00a0 Here is an example output:
\n
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.', the field will be left blank.
\n-----
\nCountry Name (2 letter code) [AU]:US<\/span>
\nState or Province Name (full name) [Some-State]:Kansas<\/span>
\nLocality Name (eg, city) []:Topeka<\/span>
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Test.com<\/span>
\nOrganizational Unit Name (eg, section) []:IT<\/span>
\nCommon Name (eg, YOUR name) []:www.test.com<\/span>
\nEmail Address []:admin@test.com<\/span>
\n<\/code>
\nNote, the Common Name should be the fully qualified domain name of your web server.\u00a0 Your cert and key will be in the current directory, and will be called host.cert (cert) and host.key (key).\u00a0 Both of these files will be needed for the next step.\u00a0 As root or using sudo, copy the key file to the \/etc\/ssl\/private directory on your LAMP server, and copy the cert file (host.cert) to the \/etc\/ssl\/certs directory.<\/p>\n<IfModule mod_ssl.c><\/span>\n<VirtualHost _default_:443>\n ServerAdmin webmaster@localhost\n\n DocumentRoot \/var\/www\n <Directory \/>\n Options FollowSymLinks\n AllowOverride None\n <\/Directory>\n <Directory \/var\/www>\n Options Indexes FollowSymLinks MultiViews\n AllowOverride None\n Order allow,deny\n allow from all\n <\/Directory><\/span><\/em>\n<\/span><\/pre>\n<IfModule mod_ssl.c>\n<VirtualHost _default_:443>\n ServerAdmin admin@test.com\n ServerName www.test.com\n DocumentRoot \/var\/www-ssl\n <Directory \/>\n Options FollowSymLinks\n AllowOverride None\n <\/Directory>\n <Directory \/var\/www-ssl>\n Options Indexes FollowSymLinks MultiViews\n AllowOverride None\n Order allow,deny\n allow from all\n <\/Directory><\/em><\/span><\/pre>\n
\n
\nSSLCertificateFile\u00a0\u00a0\u00a0 \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem
\nSSLCertificateKeyFile \/etc\/ssl\/private\/ssl-cert-snakeoil.key
\n<\/code>
\nThese lines tell Apache where to find the SSL certificate to use for the site.\u00a0 We are going to replace these with the certificate and private key we created earlier.\u00a0 We will change them to read:
\n
\nSSLCertificateFile \u00a0 \u00a0\/etc\/ssl\/certs\/host.cert
\nSSLCertificateKeyFile \/etc\/ssl\/private\/host.key
\n<\/code>
\nOk – make sure you save your default-ssl file with the changes we have detailed above.\u00a0 After the file is saved, run the following command:
\n
\na2ensite default-ssl
\n<\/code>
\nfollowed by:
\n
\n\/etc\/init.d\/apache2 restart
\n<\/code><\/p>\n
\n
\n\/etc\/init.d\/apache2 restart
\n<\/code>
\nTo make sure SSL support is enabled. You can check that Apache is listening for SSL connection by doing a
\n
\nnetstat -tan
\n<\/code>
\nand looking for an entry like this:<\/p>\nActive Internet connections (servers and established)\nProto Recv-Q Send-Q Local Address Foreign Address State\ntcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN\n\n<\/em><\/span>\u00a0<\/span><\/pre>\n