Difference between revisions of "How to Configure Apache for HTTPS"
(→Edit the Apache SSL configuration file) |
(→Test the configuration and restart the Apache service) |
||
Line 178: | Line 178: | ||
== Test the configuration and restart the Apache service == | == Test the configuration and restart the Apache service == | ||
− | To test the Apache configuration run the following command line: | + | To test the Apache configuration run the following command line (replace <code>Apache2.x.x</code> with your Apache version): |
C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t | C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t |
Revision as of 16:40, 20 August 2014
To secure your web server with SSL/TLS encryption, you need to obtain a digital certificate from a trusted certificate authority and enable the SSL/TLS cryptographic protocols on your server.
This article describes:
- how to generate a self-signed certificate, which can be used to test the configuration;
- how to enable SSL/TLS on the WampServer 2.4 distribution of Apache and PHP.
Contents |
Generate a server key pair and a server certificate
For deployment purposes you need to obtain an SSL certificate from a trusted certificate authority (e.g. Symantec or GoDaddy. Those are pricey.
To test your server configuration, you can use a self-signed certificate. (The browser won't recognize it and will ask the users to proceed at their own risk.)
This section describes how to create a self-signed X.509 certificate using the OpenSSL utility.
Download and install the OpenSSL utility
You can download a binary distribution of the utility by following the links on the OpenSSL Project site (e.g. OpenSSL for Windows).
The recommended download for Windows is the Win32 OpenSSL v0.9.8zb Light installer.
When you run the installer you'll be prompted to specify a destination folder for the installation. You can accept the default (C:\OpenSSL
) or change it.
This article assumes you installed in the utility in the C:\Applications\OpenSSL
folder.
Generate a server key pair and a server certificate using the OpenSSL utility
Open a command prompt window and run the following command:
C:\Applications\OpenSSL\bin\openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
Here's what the options mean:
-
-x509
identifies that a certificate is required, rather than just a certificate request; -
-days 365
sets the certificate to expire in a year; -
-sha1
specifies that SHA1 encryption should be used; -
rsa:1024
sets the key as 1024 bit RSA; -
-nodes
specifies no passphrase; -
-keyout
and-out
specify where to store the key and certificate.
The utility will prompt you for the following information:
- Country Name; type the two-letter code of your country (e.g. CA);
- State or Province Name; type the name of your state or province (e.g. Ontario);
- Locality Name; type the name of your city (e.g. Toronto);
- Organization Name; type the name of your organization (e.g. Dot2Dot Communications Inc.);
- Organizational Unit Name; type the name of your group (e.g. R&D) or leave blank;
- Common Name; type the fully qualified domain name of your server (e.g. www.mydomain.com);
- Email Address; type a contact email address or leave blank.
The command will create two files in the current folder:
-
server.key
, which looks like this:
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4mamQaxvBT7+cBwMb8RiHW erKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31U1MiUvctZ3nNrti1Khjf KeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/XvzNwDJEa4RAHQIDAQAB AoGAMm/BvZkFqaahUTAc3fY/vcbkQdqqAvmtT3pcDAZQSE7ANi6n7rGYkoNQ5EM8 rlm9WUEmDb8R9kCbC5LdgHjr/I4f0m1fIl5J1fMVfE0ZbwQ4w8ruus4YXJxgNkE8 QloYG0sFMbpcxfu/HYHmj90P88SBSf1NxVQBm6ntEYjtDb0CQQDabL9X7SSvA3KW mqwhmTZufvl1z705N8xWuXKOkRXFe6OGWQMZk9A5LwmqRU//pIWHRdxljNwpvcd5 ehBNxJ9nAkEAzzQ2EvengVNIwlM67dBStriea857oBlseeqzkEav+SxkA2hRJmHS NMZZtrV4Ci7aR3Oh1r/W2p6V9AJ2fsol2wJBAJOYWm/SyjANF1hXaitF+bcOzAjk +It6ffS4WYWm2lxY4LX+3g5hiJmrhE9viNBJXwV6mqRwW7FFEU6vweabD88CQHK6 tjZKarVxKBhxfW+wqhwCnbWT32AGs8nN6x84BLgznC1G1agrAfm22nYQhSceSj7G CBagopbquJ0jv/j0dYECQEFVZKbsn88Wgb7GsTH91eD5qK90GQRORYa3sO48bg+U 2PVo+yiu9ZwcfIGdyKdzE1CFUHCQPcGAyeFL+6I3NFE= -----END RSA PRIVATE KEY-----
-
server.crt
, which looks like this:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgIJAM66A3JulEG3MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEkMCIG A1UEChMbRG90MkRvdCBDb21tdW5pY2F0aW9ucyBJbmMuMQwwCgYDVQQLFANSJkQx GTAXBgNVBAMTEHd3dy5teWRvbWFpbi5jb20wHhcNMTQwODIwMTU1OTI5WhcNMTUw ODIwMTU1OTI5WjCBgDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO BgNVBAcTB1Rvcm9udG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMg SW5jLjEMMAoGA1UECxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4m amQaxvBT7+cBwMb8RiHWerKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31 U1MiUvctZ3nNrti1KhjfKeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/ XvzNwDJEa4RAHQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVQjEX6Q1vH9YU1OnDEy1J DEYplTCBtQYDVR0jBIGtMIGqgBRVQjEX6Q1vH9YU1OnDEy1JDEYplaGBhqSBgzCB gDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u dG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMgSW5jLjEMMAoGA1UE CxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tggkAzroDcm6UQbcwDAYD VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYCKJHtZQF7BYeORTnC8yLtzhe hFg5dM9nrCrf7enCB+w4XwBZilNOdVOMSe0mgDARnRS9SIPND4FRxIFOQw9pnJso Wa+tZSi9ITU8qo/mbBwqWgU/rSLJidBBMJjhLsFf9wychCLYBUJfJEQNI5645VXh zlCY+3Xpwx+7JOYSzg== -----END CERTIFICATE-----
Copy the key and certificate files to the server
- Locate the WampServer program folder: click the WampServer tray icon, select www directory, and click the Up button in the Windows Explorer window.
- Navigate down to the Apache configuration folder:
bin\apache\Apache2.x.x\conf
. - Create a sub-folder for the server key file (e.g.
ssl-key
) and copy theserver.key
file into it. - Create a sub-folder for the server certificate file (e.g.
ssl-crt
) and copy theserver.crt
file into it.
Note: take steps to prevent unauthorized access to your key file.
Configure Apache
Edit the Apache configuration file
Edit the httpd.conf
file, located in the bin\apache\Apache2.x.x\conf
sub-folder of your WampServer program folder:
- Uncomment the following line:
LoadModule ssl_module modules/mod_ssl.so
- Uncomment the following line:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
- Uncomment the following line:
Include conf/extra/httpd-ssl.conf
Edit the Apache SSL configuration file
This section assumes your WampServer is installed in C:\Applications\wamp
; substitute your WampServer program folder path in the values below.
Edit the httpd_ssl.conf
file, located in the bin\apache\Apache2.x.x\conf\extra
sub-folder of your WampServer program folder (replace Apache2.x.x
with your version):
- Edit the
DocumentRoot
setting:
DocumentRoot "C:/Applications/wamp/www"
- Edit the
ErrorLog
setting:
ErrorLog "C:/Applications/wamp/logs/apache_ssl_error.log"
- Edit the
TransferLog
setting:
TransferLog "C:/Applications/wamp/logs/ssl_access.log"
- Edit the
SSLCertificateFile
setting:
SSLCertificateFile "conf/ssl-crt/server.crt"
- Edit the
SSLCertificateKeyFile
setting:
SSLCertificateKeyFile "conf/ssl-key/server.key"
- Edit the access options for the document root directory:
- Find the following section:
<Directory "..."> ... </Directory>
- Replace it with:
<Directory "C:/Applications/wamp/www"> SSLOptions +StdEnvVars Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
- Edit the
CustomLog
setting:
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Configure PHP
Edit the php.ini
file: click the WampServer tray icon and select PHP -> php.ini.
- Uncomment the following line:
extension=php_openssl.dll
Test the configuration and restart the Apache service
To test the Apache configuration run the following command line (replace Apache2.x.x
with your Apache version):
C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t
Resolve the configuration issues, if any, and restart the Apache service.
Configure Windows Firewall
Enable inbound connections to TCP port 443.
External Links
Wamp2 HTTPS and SSL Setup Step-by-Step guide
Step-by-step: Configuring SSL Under Apache