{"id":1407,"date":"2010-11-23T10:38:13","date_gmt":"2010-11-23T03:38:13","guid":{"rendered":"http:\/\/www.jfdesignnet.com\/?p=1407"},"modified":"2010-11-23T10:38:13","modified_gmt":"2010-11-23T03:38:13","slug":"apache-ssl-and-virtualhost","status":"publish","type":"post","link":"https:\/\/www.jfdesignnet.com\/?p=1407","title":{"rendered":"apache, mod_ssl and virtualhosts"},"content":{"rendered":"<p style=\"text-align: justify;\">Securing connections to your website are vital when entering passwords or entering administration areas. Gathering information from RHEL and some debian admin site I found some nice steps creating a self-signed  certificate and configuring your virtual host to use https (port 443)  connections.<\/p>\n<h2>Non-commercial<\/h2>\n<p style=\"text-align: justify;\">Before we go any further I would point out that self-signed certificates will produce warnings when accessed via an https link. They are not suitable for commercial sites or any public facing site but are ideal for personal administration areas. There are many sites that specialize in issuing recognized and  guaranteed certificates. A search for &#8216;ssl certificates&#8217; in your  favorite search engine will provide many links.<\/p>\n<h2>SSL directory<\/h2>\n<p>We can place the generated certificate anywhere but I like to keep them in one folder. Let&#8217;s create that folder:<br \/>\n{code}mkdir \/etc\/apache2\/ssl{\/code}<\/p>\n<h2>Certificate<\/h2>\n<p style=\"text-align: justify;\">There are a couple of ways of creating self-signed certificates. The  method used here creates a single file and does not require a passphrase  on a reboot or Apache restart.<\/p>\n<p>To start enter the following command :<br \/>\n{code}openssl req -new -x509 -days 365 -nodes -out \/etc\/apache2\/ssl\/apache.pem -keyout \/etc\/apache2\/ssl\/apache.pem{\/code}<\/p>\n<p>The initial output is as follows :<br \/>\n{code}Generating a 1024 bit RSA private key<br \/>\n&#8230;&#8230;&#8230;..++++++<br \/>\n&#8230;&#8230;&#8230;..++++++<br \/>\nwriting new private key to &#8216;\/etc\/apache2\/ssl\/apache.pem&#8217;<br \/>\n&#8212;&#8211;<br \/>\nYou are about to be asked to enter information that will be incorporated<br \/>\ninto your certificate request.<br \/>\nWhat you are about to enter is what is called a Distinguished Name or a DN.<br \/>\nThere are quite a few fields but you can leave some blank<br \/>\nFor some fields there will be a default value,<br \/>\nIf you enter &#8216;.&#8217;, the field will be left blank.<br \/>\n&#8212;&#8211;{\/code}<\/p>\n<p>As indicated, you will be asked a series of questions:<\/p>\n<p><strong>Country<\/strong><\/p>\n<pre>Country Name (2 letter code) [AU]:<\/pre>\n<p>In my case, I entered &#8216;ID&#8217; for Indonesia.<\/p>\n<p><strong>State<\/strong><\/p>\n<pre>State or Province Name (full name) [Some-State]:<\/pre>\n<p>You can leave this blank but for demonstration purposes I entered &#8216;East Java&#8217;.<\/p>\n<p><strong>City<\/strong><\/p>\n<pre>Locality Name (eg, city) []:<\/pre>\n<p>Again, leave blank if you wish. I entered &#8216;Surabaya&#8217;.<\/p>\n<p><strong>Organization<\/strong><\/p>\n<pre>Organization Name (eg, company) [Internet Widgits Pty Ltd]:<\/pre>\n<p>Here I entered &#8216;KSI&#8217;.<\/p>\n<p><strong>Unit<\/strong><\/p>\n<pre>Organizational Unit Name (eg, section) []:<\/pre>\n<p>I entered &#8216;Linux Development&#8217;<\/p>\n<p><strong>Name<\/strong><\/p>\n<pre>Common Name (eg, YOUR name) []:<\/pre>\n<p style=\"text-align: justify;\">Enter your domain address here &#8211; so you might enter something like  admin.domain.com. Only use your URL&#8217;s or IP address. I used  admin.domain.com as an example.<\/p>\n<p><strong>Email<\/strong><\/p>\n<pre>Email Address []:<\/pre>\n<p style=\"text-align: justify;\">If you want your email address displayed on the certificate, then  enter it here. If you are going to use a self-signed certificate for  public facing sites then I would recommend entering a valid address as  it gives them a person to contact.<\/p>\n<p style=\"text-align: justify;\">Anyway, I entered &#8216;webmaster@domain.com&#8217;.<\/p>\n<p style=\"text-align: justify;\">You will be placed back at the command prompt and the certificate has been placed, as directed, in \/etc\/apache2\/ssl\/apache.pem.<\/p>\n<h2>mod_ssl<\/h2>\n<p>So now we have the certificate we need to enable Apache mod_ssl:<\/p>\n<pre>a2enmod ssl<\/pre>\n<p><a id=\"Virtual_Hosts\" name=\"Virtual_Hosts\"><\/a><\/p>\n<h2>Virtual Hosts<\/h2>\n<p style=\"text-align: justify;\">Now we get to configuring the virtual hosts to enable secure connections.<\/p>\n<p style=\"text-align: justify;\">Remember that you can only have one certificate per IP address  which means that if you enable SSL connections to more than one virtual  host they will share the same certificate.<\/p>\n<p style=\"text-align: justify;\">If you have multiple IPs for your Cloud Server (yes, they are  coming!) then you would configure the virtual hosts based on IP address  and not necessarily based on named hosts (more on this when multiple IPs  are available).<\/p>\n<p style=\"text-align: justify;\">Let&#8217;s start by enabling port 443 on the default vhost:<\/p>\n<pre>mcedit \/etc\/apache2\/sites-available\/default<\/pre>\n<p>At the very top of the file you will see this:<\/p>\n<pre>NameVirtualHost *\n\n&lt;VirtualHost *&gt;\n...<\/pre>\n<p>Change these settings to listen to the default http port (80):<\/p>\n<pre>NameVirtualHost *:80\n\n&lt;VirtualHost *:80&gt;\n...<\/pre>\n<p>Now we need to add support for port 443.<\/p>\n<p>Add &#8216;NameVirtualHost *:443&#8217; so it looks like this:<\/p>\n<pre>NameVirtualHost *:80\nNameVirtualHost *:443\n\n&lt;VirtualHost *:80&gt;\n...<\/pre>\n<p style=\"text-align: justify;\">So now the default virtual host is listening to both port 80 and port  443. However, we&#8217;ve only got settings for port 80: It won&#8217;t know what  to do with any connections to port 443.<\/p>\n<p style=\"text-align: justify;\">Let&#8217;s rectify that by copying the &lt;VirtualHost *:80&gt; settings:<\/p>\n<pre>&lt;VirtualHost *:80&gt;\n...\n...\n&lt;\/VirtualHost&gt;<\/pre>\n<p>&#8230;and paste them at the bottom of the file with the port changed to *:443 as follows:<\/p>\n<pre>&lt;VirtualHost *:443&gt;\n...\n...\n&lt;\/VirtualHost&gt;<\/pre>\n<p>One final tweak to the pasted settings is the addition of these two lines:<\/p>\n<pre>SSLEngine on\nSSLCertificateFile \/etc\/apache2\/ssl\/apache.pem<\/pre>\n<p><a id=\"Reload\" name=\"Reload\"><\/a><\/p>\n<h2>Reload<\/h2>\n<p>At this point, reload Apache for the new settings to take effect:<\/p>\n<pre>\/etc\/init.d\/apache2 force-reload<\/pre>\n<p>Somehow on mine \/etc\/init.d\/apache restart is giving an error, so you must use stop then start or force-reload option.<br \/>\n<a id=\"Warnings\" name=\"Warnings\"><\/a><\/p>\n<h2>Warnings<\/h2>\n<p style=\"text-align: justify;\">Now when you browse to your IP address or whichever virtual host you setup to use SSL, you will see warnings similar to these :<\/p>\n<p><a href=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/11\/ssl1.jpg\" rel=\"lightbox[1407]\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1408\" title=\"ssl1\" src=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/11\/ssl1-300x220.jpg\" alt=\"\" width=\"300\" height=\"220\" \/><\/a><\/p>\n<p>Clicking &#8216;Confirm Exception&#8217; will take you to a second warning:<\/p>\n<p><a href=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/11\/ssl2.jpg\" rel=\"lightbox[1407]\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1409\" title=\"ssl2\" src=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/11\/ssl2-300x298.jpg\" alt=\"\" width=\"300\" height=\"298\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">If you accept the certificate, you will then proceed to the site.  However, as you can tell, a visitor receiving these warnings on a  supposedly secure area of a public website will not be too impressed.  They are, however, fine for personal use and for an administration area.<\/p>\n<p><a id=\"Other_virtual_hosts\" name=\"Other_virtual_hosts\"><\/a><\/p>\n<h2>Other virtual hosts<\/h2>\n<p style=\"text-align: justify;\">Remember how we changed &lt;VirtualHost *&gt; to &lt;VirtualHost  *:80&gt; in the default virtual hosts file? Well, we need to do the same  for any other virtual hosts files.<\/p>\n<p style=\"text-align: justify;\">Then, to add SSL support to any other virtual hosts simply repeat  the procedure and have two configurations in each file. One for port 80  and one for port 443 &#8211; keep in mind that any configured virtual hosts  will share the same certificate.<\/p>\n<p style=\"text-align: justify;\">You don&#8217;t need the NameVirtualHost settings in each file though. They only need to be in the default file.<\/p>\n<p><a id=\"Summary\" name=\"Summary\"><\/a><\/p>\n<h2>Summary<\/h2>\n<p style=\"text-align: justify;\">Once you get used to the process, adding self-signed certificates and  configuring virtual host support for SSL connections is relatively  straight forward.<\/p>\n<p style=\"text-align: justify;\">&nbsp;<\/p>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\"><strong>Note :<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\">Adjust all apache2 path \/etc\/apache2\/ssl into httpd \/etc\/httpd\/ssl if you were using klixs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securing connections to your website are vital when entering passwords or entering administration areas. Gathering information from RHEL and some debian admin site I found some nice steps creating a self-signed certificate and configuring your virtual host to use https (port 443) connections. Non-commercial Before we go any further I would point out that self-signed [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1409,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,9],"tags":[153,228],"_links":{"self":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts\/1407"}],"collection":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1407"}],"version-history":[{"count":0,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts\/1407\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/media\/1409"}],"wp:attachment":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}