Difference between revisions of "How to Configure Apache for HTTPS"

From Dot2DotCommunications
Jump to: navigation, search
(Configure Apache)
(Configure Apache)
Line 162: Line 162:
 
     allow from all
 
     allow from all
 
  </Directory>
 
  </Directory>
 +
 +
* Edit the <code>CustomLog</code> setting:
 +
 +
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \
 +
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  
 
== Configure PHP ==
 
== Configure PHP ==

Revision as of 16:11, 20 August 2014

To secure your web server with SSL/TLS encryption, you need to obtain a digital certificate from a trusted certificate authority and enable the SSL/TLS cryptographic protocols on your server.

This article describes:

  • how to generate a self-signed certificate, which can be used to test the configuration;
  • how to enable SSL/TLS on the WampServer 2.4 distribution of Apache and PHP.

Contents

Generate a server key pair and a server certificate

For deployment purposes you need to obtain an SSL certificate from a trusted certificate authority (e.g. Symantec or GoDaddy. Those are pricey.

To test your server configuration, you can use a self-signed certificate. (The browser won't recognize it and will ask the users to proceed at their own risk.)

This section describes how to create a self-signed X.509 certificate using the OpenSSL utility.

Download and install the OpenSSL utility

You can download a binary distribution of the utility by following the links on the OpenSSL Project site (e.g. OpenSSL for Windows).

The recommended download for Windows is the Win32 OpenSSL v0.9.8zb Light installer.

When you run the installer you'll be prompted to specify a destination folder for the installation. You can accept the default (C:\OpenSSL) or change it.

This article assumes you installed in the utility in the C:\Applications\OpenSSL folder.

Generate a server key pair and a server certificate using the OpenSSL utility

Open a command prompt window and run the following command: 

C:\Applications\OpenSSL\bin\openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt

Here's what the options mean:

  • -x509 identifies that a certificate is required, rather than just a certificate request;
  • -days 365 sets the certificate to expire in a year;
  • -sha1 specifies that SHA1 encryption should be used;
  • rsa:1024 sets the key as 1024 bit RSA;
  • -nodes specifies no passphrase;
  • -keyout and -out specify where to store the key and certificate.

The utility will prompt you for the following information:

  • Country Name; type the two-letter code of your country (e.g. CA);
  • State or Province Name; type the name of your state or province (e.g. Ontario);
  • Locality Name; type the name of your city (e.g. Toronto);
  • Organization Name; type the name of your organization (e.g. Dot2Dot Communications Inc.);
  • Organizational Unit Name; type the name of your group (e.g. R&D) or leave blank;
  • Common Name; type the fully qualified domain name of your server (e.g. www.mydomain.com);
  • Email Address; type a contact email address or leave blank.

The command will create two files in the current folder:

  • server.key, which looks like this: 
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4mamQaxvBT7+cBwMb8RiHW
erKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31U1MiUvctZ3nNrti1Khjf
KeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/XvzNwDJEa4RAHQIDAQAB
AoGAMm/BvZkFqaahUTAc3fY/vcbkQdqqAvmtT3pcDAZQSE7ANi6n7rGYkoNQ5EM8
rlm9WUEmDb8R9kCbC5LdgHjr/I4f0m1fIl5J1fMVfE0ZbwQ4w8ruus4YXJxgNkE8
QloYG0sFMbpcxfu/HYHmj90P88SBSf1NxVQBm6ntEYjtDb0CQQDabL9X7SSvA3KW
mqwhmTZufvl1z705N8xWuXKOkRXFe6OGWQMZk9A5LwmqRU//pIWHRdxljNwpvcd5
ehBNxJ9nAkEAzzQ2EvengVNIwlM67dBStriea857oBlseeqzkEav+SxkA2hRJmHS
NMZZtrV4Ci7aR3Oh1r/W2p6V9AJ2fsol2wJBAJOYWm/SyjANF1hXaitF+bcOzAjk
+It6ffS4WYWm2lxY4LX+3g5hiJmrhE9viNBJXwV6mqRwW7FFEU6vweabD88CQHK6
tjZKarVxKBhxfW+wqhwCnbWT32AGs8nN6x84BLgznC1G1agrAfm22nYQhSceSj7G
CBagopbquJ0jv/j0dYECQEFVZKbsn88Wgb7GsTH91eD5qK90GQRORYa3sO48bg+U
2PVo+yiu9ZwcfIGdyKdzE1CFUHCQPcGAyeFL+6I3NFE=
-----END RSA PRIVATE KEY-----
  • server.crt, which looks like this: 
-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgIJAM66A3JulEG3MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEkMCIG
A1UEChMbRG90MkRvdCBDb21tdW5pY2F0aW9ucyBJbmMuMQwwCgYDVQQLFANSJkQx
GTAXBgNVBAMTEHd3dy5teWRvbWFpbi5jb20wHhcNMTQwODIwMTU1OTI5WhcNMTUw
ODIwMTU1OTI5WjCBgDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO
BgNVBAcTB1Rvcm9udG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMg
SW5jLjEMMAoGA1UECxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4m
amQaxvBT7+cBwMb8RiHWerKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31
U1MiUvctZ3nNrti1KhjfKeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/
XvzNwDJEa4RAHQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVQjEX6Q1vH9YU1OnDEy1J
DEYplTCBtQYDVR0jBIGtMIGqgBRVQjEX6Q1vH9YU1OnDEy1JDEYplaGBhqSBgzCB
gDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
dG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMgSW5jLjEMMAoGA1UE
CxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tggkAzroDcm6UQbcwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYCKJHtZQF7BYeORTnC8yLtzhe
hFg5dM9nrCrf7enCB+w4XwBZilNOdVOMSe0mgDARnRS9SIPND4FRxIFOQw9pnJso
Wa+tZSi9ITU8qo/mbBwqWgU/rSLJidBBMJjhLsFf9wychCLYBUJfJEQNI5645VXh
zlCY+3Xpwx+7JOYSzg==
-----END CERTIFICATE-----

Copy the key and certificate files to the server

  • Locate the WampServer program folder: click the WampServer tray icon, select www directory, and click the Up button in the Windows Explorer window.
  • Navigate down to the Apache configuration folder: bin\apache\Apache2.x.x\conf.
  • Create a sub-folder for the server key file (e.g. ssl-key) and copy the server.key file into it.
  • Create a sub-folder for the server certificate file (e.g. ssl-crt) and copy the server.crt file into it.

Note: take steps to prevent unauthorized access to your key file.

Configure Apache

Edit the Apache configuration file

Edit the httpd.conf file, located in the bin\apache\Apache2.x.x\conf sub-folder of your WampServer program folder:

  • Uncomment the following line: 
LoadModule ssl_module modules/mod_ssl.so
  • Uncomment the following line: 
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  • Uncomment the following line: 
Include conf/extra/httpd-ssl.conf

Edit the Apache SSL configuration file

This section assumes your WampServer is installed in C:\Applications\wamp; substitute your WampServer program folder path in the values below.

Edit the httpd_ssl.conf file, located in the bin\apache\Apache2.x.x\conf\extra sub-folder of your WampServer program folder:

  • Edit the DocumentRoot setting: 
DocumentRoot "C:/Applications/wamp/www"
  • Edit the ErrorLog setting: 
ErrorLog "C:/Applications/wamp/logs/apache_ssl_error.log"
  • Edit the TransferLog setting: 
TransferLog "C:/Applications/wamp/logs/ssl_access.log"
  • Edit the SSLCertificateFile setting: 
SSLCertificateFile "conf/ssl-crt/server.crt"
  • Edit the SSLCertificateKeyFile setting: 
SSLCertificateKeyFile "conf/ssl-key/server.key"
  • Edit the access options for the document root directory:
Find the following section: 
<Directory "...">
     ...
</Directory>
Replace it with: 
<Directory "C:/Applications/wamp/www">
    SSLOptions +StdEnvVars
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>
  • Edit the CustomLog setting: 
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Configure PHP

External Links

Wamp2 HTTPS and SSL Setup Step-by-Step guide

Step-by-step: Configuring SSL Under Apache

Apache SSL/TLS Encryption

Wikipedia: HTTPS

Wikipedia: Transport Layer Security

OpenSSL Project

Symantec SSL Certificates

GoDaddy SSL Certificates

Retrieved from "http://wiki.d2dcm.com/index.php?title=How_to_Configure_Apache_for_HTTPS&oldid=2146"