Difference between revisions of "How to Configure Apache for HTTPS"

From Dot2DotCommunications
Jump to: navigation, search
(Download and install the OpenSSL utility)
 
(15 intermediate revisions by one user not shown)
Line 1: Line 1:
Summary.
+
To secure your web server with SSL/TLS encryption, you need to obtain a digital certificate from a trusted certificate authority and enable the SSL/TLS cryptographic protocols on your server.
  
== Generate a server key and a server certificate ==
+
This article describes:
 +
* how to generate a self-signed certificate, which can be used to test the configuration;
 +
* how to enable SSL/TLS on the [http://www.wampserver.com/en/ WampServer 2.4] distribution of Apache and PHP.
 +
 
 +
== Generate a server key pair and a server certificate ==
 +
 
 +
For deployment purposes you need to obtain an SSL certificate from a trusted certificate authority (e.g. [https://www.symantec.com/ssl-certificates Symantec] or [http://godaddy.com/ssl/ GoDaddy]. Those are pricey.
 +
 
 +
To test your server configuration, you can use a self-signed certificate. (The browser won't recognize it and will ask the users to proceed at their own risk.)
 +
 
 +
This section describes how to create a self-signed X.509 certificate using the [https://www.openssl.org/ OpenSSL] utility.
 +
 
 +
=== Download and install the OpenSSL utility ===
 +
 
 +
You can download a binary distribution of the utility by following the links on the [https://www.openssl.org/community/binaries.html OpenSSL Project site] (e.g. [http://slproweb.com/products/Win32OpenSSL.html OpenSSL for Windows]).
 +
 
 +
When you run the installer you'll be prompted to specify a destination folder for the installation. You can accept the default (<code>C:\OpenSSL</code>) or change it.
 +
 
 +
This article assumes you installed in the utility in the <code>C:\Applications\OpenSSL</code> folder.
 +
 
 +
=== Generate a server key pair and a server certificate using the OpenSSL utility ===
 +
 
 +
Open a command prompt window and run the following command:
 +
 
 +
C:\Applications\OpenSSL\bin\openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
 +
 
 +
Here's what the options mean:
 +
* <code>-x509</code> identifies that a certificate is required, rather than just a certificate request;
 +
* <code>-days 365</code> sets the certificate to expire in a year;
 +
* <code>-sha1</code> specifies that SHA1 encryption should be used;
 +
* <code>rsa:1024</code> sets the key as 1024 bit RSA;
 +
* <code>-nodes</code> specifies no passphrase;
 +
* <code>-keyout</code> and <code>-out</code> specify where to store the key and certificate.
 +
 
 +
The utility will prompt you for the following information:
 +
* Country Name; type the two-letter code of your country (e.g. '''CA''');
 +
* State or Province Name; type the name of your state or province (e.g. '''Ontario''');
 +
* Locality Name; type the name of your city (e.g. '''Toronto''');
 +
* Organization Name; type the name of your organization (e.g. '''Dot2Dot Communications Inc.''');
 +
* Organizational Unit Name; type the name of your group (e.g. '''R&D''') or leave blank;
 +
* Common Name; type the fully qualified domain name of your server (e.g. '''www.mydomain.com''');
 +
* Email Address; type a contact email address or leave blank.
 +
 +
The command will create two files in the current folder:
 +
 
 +
* <code>server.key</code>, which looks like this:
 +
 
 +
<nowiki>
 +
-----BEGIN RSA PRIVATE KEY-----
 +
MIICXAIBAAKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4mamQaxvBT7+cBwMb8RiHW
 +
erKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31U1MiUvctZ3nNrti1Khjf
 +
KeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/XvzNwDJEa4RAHQIDAQAB
 +
AoGAMm/BvZkFqaahUTAc3fY/vcbkQdqqAvmtT3pcDAZQSE7ANi6n7rGYkoNQ5EM8
 +
rlm9WUEmDb8R9kCbC5LdgHjr/I4f0m1fIl5J1fMVfE0ZbwQ4w8ruus4YXJxgNkE8
 +
QloYG0sFMbpcxfu/HYHmj90P88SBSf1NxVQBm6ntEYjtDb0CQQDabL9X7SSvA3KW
 +
mqwhmTZufvl1z705N8xWuXKOkRXFe6OGWQMZk9A5LwmqRU//pIWHRdxljNwpvcd5
 +
ehBNxJ9nAkEAzzQ2EvengVNIwlM67dBStriea857oBlseeqzkEav+SxkA2hRJmHS
 +
NMZZtrV4Ci7aR3Oh1r/W2p6V9AJ2fsol2wJBAJOYWm/SyjANF1hXaitF+bcOzAjk
 +
+It6ffS4WYWm2lxY4LX+3g5hiJmrhE9viNBJXwV6mqRwW7FFEU6vweabD88CQHK6
 +
tjZKarVxKBhxfW+wqhwCnbWT32AGs8nN6x84BLgznC1G1agrAfm22nYQhSceSj7G
 +
CBagopbquJ0jv/j0dYECQEFVZKbsn88Wgb7GsTH91eD5qK90GQRORYa3sO48bg+U
 +
2PVo+yiu9ZwcfIGdyKdzE1CFUHCQPcGAyeFL+6I3NFE=
 +
-----END RSA PRIVATE KEY-----</nowiki>
 +
 
 +
* <code>server.crt</code>, which looks like this:
 +
 
 +
<nowiki>
 +
-----BEGIN CERTIFICATE-----
 +
MIIDaTCCAtKgAwIBAgIJAM66A3JulEG3MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
 +
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEkMCIG
 +
A1UEChMbRG90MkRvdCBDb21tdW5pY2F0aW9ucyBJbmMuMQwwCgYDVQQLFANSJkQx
 +
GTAXBgNVBAMTEHd3dy5teWRvbWFpbi5jb20wHhcNMTQwODIwMTU1OTI5WhcNMTUw
 +
ODIwMTU1OTI5WjCBgDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO
 +
BgNVBAcTB1Rvcm9udG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMg
 +
SW5jLjEMMAoGA1UECxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMIGf
 +
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4m
 +
amQaxvBT7+cBwMb8RiHWerKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31
 +
U1MiUvctZ3nNrti1KhjfKeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/
 +
XvzNwDJEa4RAHQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVQjEX6Q1vH9YU1OnDEy1J
 +
DEYplTCBtQYDVR0jBIGtMIGqgBRVQjEX6Q1vH9YU1OnDEy1JDEYplaGBhqSBgzCB
 +
gDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
 +
dG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMgSW5jLjEMMAoGA1UE
 +
CxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tggkAzroDcm6UQbcwDAYD
 +
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYCKJHtZQF7BYeORTnC8yLtzhe
 +
hFg5dM9nrCrf7enCB+w4XwBZilNOdVOMSe0mgDARnRS9SIPND4FRxIFOQw9pnJso
 +
Wa+tZSi9ITU8qo/mbBwqWgU/rSLJidBBMJjhLsFf9wychCLYBUJfJEQNI5645VXh
 +
zlCY+3Xpwx+7JOYSzg==
 +
-----END CERTIFICATE-----</nowiki>
  
 
== Copy the key and certificate files to the server ==
 
== Copy the key and certificate files to the server ==
 +
 +
* Locate the WampServer program folder: click the WampServer tray icon, select '''www directory''', and click the '''Up''' button in the Windows Explorer window.
 +
* Navigate down to the Apache configuration folder: <code>bin\apache\Apache2.x.x\conf</code> (replace <code>Apache2.x.x</code> with your Apache version).
 +
* Create a sub-folder for the server key file (e.g. <code>ssl-key</code>) and copy the <code>server.key</code> file into it.
 +
* Create a sub-folder for the server certificate file (e.g. <code>ssl-crt</code>) and copy the <code>server.crt</code> file into it.
 +
 +
'''''Note''': take steps to prevent unauthorized access to your key file.''
  
 
== Configure Apache ==
 
== Configure Apache ==
 +
 +
=== Edit the Apache configuration file ===
 +
 +
Edit the <code>httpd.conf</code> file, located in the <code>bin\apache\Apache2.x.x\conf</code> sub-folder of your WampServer program folder:
 +
 +
* Uncomment the following line:
 +
 +
LoadModule ssl_module modules/mod_ssl.so
 +
 +
* Uncomment the following line:
 +
 +
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 +
 +
* Uncomment the following line:
 +
 +
Include conf/extra/httpd-ssl.conf
 +
 +
=== Edit the Apache SSL configuration file ===
 +
 +
This section assumes your WampServer is installed in <code>C:\Applications\wamp</code>; substitute your WampServer program folder path in the values below.
 +
 +
Edit the <code>httpd_ssl.conf</code> file, located in the <code>bin\apache\Apache2.x.x\conf\extra</code> sub-folder of your WampServer program folder (replace <code>Apache2.x.x</code> with your Apache version):
 +
 +
* Edit the <code>DocumentRoot</code> setting:
 +
 +
DocumentRoot "C:/Applications/wamp/www"
 +
 +
* Edit the <code>ServerName</code> setting:
 +
 +
ServerName www.mydomain.com:443
 +
 +
* Edit the <code>ErrorLog</code> setting:
 +
 +
ErrorLog "C:/Applications/wamp/logs/apache_ssl_error.log"
 +
 +
* Edit the <code>TransferLog</code> setting:
 +
 +
TransferLog "C:/Applications/wamp/logs/ssl_access.log"
 +
 +
* Edit the <code>SSLCertificateFile</code> setting:
 +
 +
SSLCertificateFile "conf/ssl-crt/server.crt"
 +
 +
* Edit the <code>SSLCertificateKeyFile</code> setting:
 +
 +
SSLCertificateKeyFile "conf/ssl-key/server.key"
 +
 +
* Edit the access options for the document root directory:
 +
 +
<Directory "C:/Applications/wamp/www">
 +
    SSLOptions +StdEnvVars
 +
    Options FollowSymLinks
 +
    AllowOverride None
 +
    Require all denied
 +
</Directory>
 +
 +
* Edit the access options for the application directory
 +
 +
<Directory "C:/Applications/wamp/www/ad-manager">
 +
    SSLOptions +StdEnvVars
 +
    Options FollowSymLinks
 +
    AllowOverride All
 +
    Require all granted
 +
</Directory>
 +
 +
* Edit the <code>CustomLog</code> setting:
 +
 +
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \
 +
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  
 
== Configure PHP ==
 
== Configure PHP ==
 +
 +
Edit the <code>php.ini</code> file: click the WampServer tray icon and select '''PHP''' -> '''php.ini'''.
 +
 +
* Uncomment the following line:
 +
 +
extension=php_openssl.dll
 +
 +
== Test the configuration and restart the Apache service ==
 +
 +
To test the Apache configuration run the following command line (replace <code>Apache2.x.x</code> with your Apache version):
 +
 +
C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t
 +
 +
Resolve the configuration issues, if any, and restart the Apache service.
 +
 +
=== Configure Windows Firewall ===
 +
 +
Enable inbound connections to TCP port 443.
  
 
== External Links ==
 
== External Links ==
 +
 +
[http://forum.wampserver.com/read.php?2,32986,page=1 Wamp2 HTTPS and SSL Setup Step-by-Step guide]
  
 
[http://www.onlamp.com/2008/03/04/step-by-step-configuring-ssl-under-apache.html Step-by-step: Configuring SSL Under Apache]
 
[http://www.onlamp.com/2008/03/04/step-by-step-configuring-ssl-under-apache.html Step-by-step: Configuring SSL Under Apache]
  
[http://forum.wampserver.com/read.php?2,32986,page=1 Wamp2 HTTPS and SSL Setup Step-by-Step guide]
+
[http://httpd.apache.org/docs/current/ssl/ Apache SSL/TLS Encryption]
 +
 
 +
[http://en.wikipedia.org/wiki/HTTP_Secure Wikipedia: HTTPS]
 +
 
 +
[http://en.wikipedia.org/wiki/Transport_Layer_Security Wikipedia: Transport Layer Security]
 +
 
 +
[https://www.openssl.org/ OpenSSL Project]
 +
 
 +
[https://www.symantec.com/ssl-certificates Symantec SSL Certificates]
 +
 
 +
[http://godaddy.com/ssl/ GoDaddy SSL Certificates]

Latest revision as of 12:13, 10 December 2015

To secure your web server with SSL/TLS encryption, you need to obtain a digital certificate from a trusted certificate authority and enable the SSL/TLS cryptographic protocols on your server.

This article describes:

  • how to generate a self-signed certificate, which can be used to test the configuration;
  • how to enable SSL/TLS on the WampServer 2.4 distribution of Apache and PHP.

Contents

Generate a server key pair and a server certificate

For deployment purposes you need to obtain an SSL certificate from a trusted certificate authority (e.g. Symantec or GoDaddy. Those are pricey.

To test your server configuration, you can use a self-signed certificate. (The browser won't recognize it and will ask the users to proceed at their own risk.)

This section describes how to create a self-signed X.509 certificate using the OpenSSL utility.

Download and install the OpenSSL utility

You can download a binary distribution of the utility by following the links on the OpenSSL Project site (e.g. OpenSSL for Windows).

When you run the installer you'll be prompted to specify a destination folder for the installation. You can accept the default (C:\OpenSSL) or change it.

This article assumes you installed in the utility in the C:\Applications\OpenSSL folder.

Generate a server key pair and a server certificate using the OpenSSL utility

Open a command prompt window and run the following command: 

C:\Applications\OpenSSL\bin\openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt

Here's what the options mean:

  • -x509 identifies that a certificate is required, rather than just a certificate request;
  • -days 365 sets the certificate to expire in a year;
  • -sha1 specifies that SHA1 encryption should be used;
  • rsa:1024 sets the key as 1024 bit RSA;
  • -nodes specifies no passphrase;
  • -keyout and -out specify where to store the key and certificate.

The utility will prompt you for the following information:

  • Country Name; type the two-letter code of your country (e.g. CA);
  • State or Province Name; type the name of your state or province (e.g. Ontario);
  • Locality Name; type the name of your city (e.g. Toronto);
  • Organization Name; type the name of your organization (e.g. Dot2Dot Communications Inc.);
  • Organizational Unit Name; type the name of your group (e.g. R&D) or leave blank;
  • Common Name; type the fully qualified domain name of your server (e.g. www.mydomain.com);
  • Email Address; type a contact email address or leave blank.

The command will create two files in the current folder:

  • server.key, which looks like this: 
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4mamQaxvBT7+cBwMb8RiHW
erKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31U1MiUvctZ3nNrti1Khjf
KeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/XvzNwDJEa4RAHQIDAQAB
AoGAMm/BvZkFqaahUTAc3fY/vcbkQdqqAvmtT3pcDAZQSE7ANi6n7rGYkoNQ5EM8
rlm9WUEmDb8R9kCbC5LdgHjr/I4f0m1fIl5J1fMVfE0ZbwQ4w8ruus4YXJxgNkE8
QloYG0sFMbpcxfu/HYHmj90P88SBSf1NxVQBm6ntEYjtDb0CQQDabL9X7SSvA3KW
mqwhmTZufvl1z705N8xWuXKOkRXFe6OGWQMZk9A5LwmqRU//pIWHRdxljNwpvcd5
ehBNxJ9nAkEAzzQ2EvengVNIwlM67dBStriea857oBlseeqzkEav+SxkA2hRJmHS
NMZZtrV4Ci7aR3Oh1r/W2p6V9AJ2fsol2wJBAJOYWm/SyjANF1hXaitF+bcOzAjk
+It6ffS4WYWm2lxY4LX+3g5hiJmrhE9viNBJXwV6mqRwW7FFEU6vweabD88CQHK6
tjZKarVxKBhxfW+wqhwCnbWT32AGs8nN6x84BLgznC1G1agrAfm22nYQhSceSj7G
CBagopbquJ0jv/j0dYECQEFVZKbsn88Wgb7GsTH91eD5qK90GQRORYa3sO48bg+U
2PVo+yiu9ZwcfIGdyKdzE1CFUHCQPcGAyeFL+6I3NFE=
-----END RSA PRIVATE KEY-----
  • server.crt, which looks like this: 
-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgIJAM66A3JulEG3MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEkMCIG
A1UEChMbRG90MkRvdCBDb21tdW5pY2F0aW9ucyBJbmMuMQwwCgYDVQQLFANSJkQx
GTAXBgNVBAMTEHd3dy5teWRvbWFpbi5jb20wHhcNMTQwODIwMTU1OTI5WhcNMTUw
ODIwMTU1OTI5WjCBgDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO
BgNVBAcTB1Rvcm9udG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMg
SW5jLjEMMAoGA1UECxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4m
amQaxvBT7+cBwMb8RiHWerKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31
U1MiUvctZ3nNrti1KhjfKeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/
XvzNwDJEa4RAHQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVQjEX6Q1vH9YU1OnDEy1J
DEYplTCBtQYDVR0jBIGtMIGqgBRVQjEX6Q1vH9YU1OnDEy1JDEYplaGBhqSBgzCB
gDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
dG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMgSW5jLjEMMAoGA1UE
CxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tggkAzroDcm6UQbcwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYCKJHtZQF7BYeORTnC8yLtzhe
hFg5dM9nrCrf7enCB+w4XwBZilNOdVOMSe0mgDARnRS9SIPND4FRxIFOQw9pnJso
Wa+tZSi9ITU8qo/mbBwqWgU/rSLJidBBMJjhLsFf9wychCLYBUJfJEQNI5645VXh
zlCY+3Xpwx+7JOYSzg==
-----END CERTIFICATE-----

Copy the key and certificate files to the server

  • Locate the WampServer program folder: click the WampServer tray icon, select www directory, and click the Up button in the Windows Explorer window.
  • Navigate down to the Apache configuration folder: bin\apache\Apache2.x.x\conf (replace Apache2.x.x with your Apache version).
  • Create a sub-folder for the server key file (e.g. ssl-key) and copy the server.key file into it.
  • Create a sub-folder for the server certificate file (e.g. ssl-crt) and copy the server.crt file into it.

Note: take steps to prevent unauthorized access to your key file.

Configure Apache

Edit the Apache configuration file

Edit the httpd.conf file, located in the bin\apache\Apache2.x.x\conf sub-folder of your WampServer program folder:

  • Uncomment the following line: 
LoadModule ssl_module modules/mod_ssl.so
  • Uncomment the following line: 
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  • Uncomment the following line: 
Include conf/extra/httpd-ssl.conf

Edit the Apache SSL configuration file

This section assumes your WampServer is installed in C:\Applications\wamp; substitute your WampServer program folder path in the values below.

Edit the httpd_ssl.conf file, located in the bin\apache\Apache2.x.x\conf\extra sub-folder of your WampServer program folder (replace Apache2.x.x with your Apache version):

  • Edit the DocumentRoot setting: 
DocumentRoot "C:/Applications/wamp/www"
  • Edit the ServerName setting: 
ServerName www.mydomain.com:443
  • Edit the ErrorLog setting: 
ErrorLog "C:/Applications/wamp/logs/apache_ssl_error.log"
  • Edit the TransferLog setting: 
TransferLog "C:/Applications/wamp/logs/ssl_access.log"
  • Edit the SSLCertificateFile setting: 
SSLCertificateFile "conf/ssl-crt/server.crt"
  • Edit the SSLCertificateKeyFile setting: 
SSLCertificateKeyFile "conf/ssl-key/server.key"
  • Edit the access options for the document root directory: 
<Directory "C:/Applications/wamp/www">
    SSLOptions +StdEnvVars
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
  • Edit the access options for the application directory 
<Directory "C:/Applications/wamp/www/ad-manager">
    SSLOptions +StdEnvVars
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
  • Edit the CustomLog setting: 
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Configure PHP

Edit the php.ini file: click the WampServer tray icon and select PHP -> php.ini.

  • Uncomment the following line: 
extension=php_openssl.dll

Test the configuration and restart the Apache service

To test the Apache configuration run the following command line (replace Apache2.x.x with your Apache version): 

C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t

Resolve the configuration issues, if any, and restart the Apache service.

Configure Windows Firewall

Enable inbound connections to TCP port 443.

External Links

Wamp2 HTTPS and SSL Setup Step-by-Step guide

Step-by-step: Configuring SSL Under Apache

Apache SSL/TLS Encryption

Wikipedia: HTTPS

Wikipedia: Transport Layer Security

OpenSSL Project

Symantec SSL Certificates

GoDaddy SSL Certificates

Retrieved from "http://wiki.d2dcm.com/index.php?title=How_to_Configure_Apache_for_HTTPS&oldid=2741"