How to Configure Apache for HTTPS

From Dot2DotCommunications
Revision as of 11:09, 10 December 2015 by Ivan.belenski (Talk | contribs)

Jump to: navigation, search

To secure your web server with SSL/TLS encryption, you need to obtain a digital certificate from a trusted certificate authority and enable the SSL/TLS cryptographic protocols on your server.

This article describes:

  • how to generate a self-signed certificate, which can be used to test the configuration;
  • how to enable SSL/TLS on the WampServer 2.4 distribution of Apache and PHP.

Contents

Generate a server key pair and a server certificate

For deployment purposes you need to obtain an SSL certificate from a trusted certificate authority (e.g. Symantec or GoDaddy. Those are pricey.

To test your server configuration, you can use a self-signed certificate. (The browser won't recognize it and will ask the users to proceed at their own risk.)

This section describes how to create a self-signed X.509 certificate using the OpenSSL utility.

Download and install the OpenSSL utility

You can download a binary distribution of the utility by following the links on the OpenSSL Project site (e.g. OpenSSL for Windows).

When you run the installer you'll be prompted to specify a destination folder for the installation. You can accept the default (C:\OpenSSL) or change it.

This article assumes you installed in the utility in the C:\Applications\OpenSSL folder.

Generate a server key pair and a server certificate using the OpenSSL utility

Open a command prompt window and run the following command:

C:\Applications\OpenSSL\bin\openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt

Here's what the options mean:

  • -x509 identifies that a certificate is required, rather than just a certificate request;
  • -days 365 sets the certificate to expire in a year;
  • -sha1 specifies that SHA1 encryption should be used;
  • rsa:1024 sets the key as 1024 bit RSA;
  • -nodes specifies no passphrase;
  • -keyout and -out specify where to store the key and certificate.

The utility will prompt you for the following information:

  • Country Name; type the two-letter code of your country (e.g. CA);
  • State or Province Name; type the name of your state or province (e.g. Ontario);
  • Locality Name; type the name of your city (e.g. Toronto);
  • Organization Name; type the name of your organization (e.g. Dot2Dot Communications Inc.);
  • Organizational Unit Name; type the name of your group (e.g. R&D) or leave blank;
  • Common Name; type the fully qualified domain name of your server (e.g. www.mydomain.com);
  • Email Address; type a contact email address or leave blank.

The command will create two files in the current folder:

  • server.key, which looks like this:
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4mamQaxvBT7+cBwMb8RiHW
erKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31U1MiUvctZ3nNrti1Khjf
KeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/XvzNwDJEa4RAHQIDAQAB
AoGAMm/BvZkFqaahUTAc3fY/vcbkQdqqAvmtT3pcDAZQSE7ANi6n7rGYkoNQ5EM8
rlm9WUEmDb8R9kCbC5LdgHjr/I4f0m1fIl5J1fMVfE0ZbwQ4w8ruus4YXJxgNkE8
QloYG0sFMbpcxfu/HYHmj90P88SBSf1NxVQBm6ntEYjtDb0CQQDabL9X7SSvA3KW
mqwhmTZufvl1z705N8xWuXKOkRXFe6OGWQMZk9A5LwmqRU//pIWHRdxljNwpvcd5
ehBNxJ9nAkEAzzQ2EvengVNIwlM67dBStriea857oBlseeqzkEav+SxkA2hRJmHS
NMZZtrV4Ci7aR3Oh1r/W2p6V9AJ2fsol2wJBAJOYWm/SyjANF1hXaitF+bcOzAjk
+It6ffS4WYWm2lxY4LX+3g5hiJmrhE9viNBJXwV6mqRwW7FFEU6vweabD88CQHK6
tjZKarVxKBhxfW+wqhwCnbWT32AGs8nN6x84BLgznC1G1agrAfm22nYQhSceSj7G
CBagopbquJ0jv/j0dYECQEFVZKbsn88Wgb7GsTH91eD5qK90GQRORYa3sO48bg+U
2PVo+yiu9ZwcfIGdyKdzE1CFUHCQPcGAyeFL+6I3NFE=
-----END RSA PRIVATE KEY-----
  • server.crt, which looks like this:
-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgIJAM66A3JulEG3MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEkMCIG
A1UEChMbRG90MkRvdCBDb21tdW5pY2F0aW9ucyBJbmMuMQwwCgYDVQQLFANSJkQx
GTAXBgNVBAMTEHd3dy5teWRvbWFpbi5jb20wHhcNMTQwODIwMTU1OTI5WhcNMTUw
ODIwMTU1OTI5WjCBgDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO
BgNVBAcTB1Rvcm9udG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMg
SW5jLjEMMAoGA1UECxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwynryFeytEkPF6RuQJr6Q7NhmLr4m
amQaxvBT7+cBwMb8RiHWerKuvHn2f96A7hKwhkgyWOl+pTnS7LH8xkRZmCmx5B31
U1MiUvctZ3nNrti1KhjfKeWuP31QMEQjpkpzHkCCz3V7VQpXKm52UbTTMlI8Cuw/
XvzNwDJEa4RAHQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVQjEX6Q1vH9YU1OnDEy1J
DEYplTCBtQYDVR0jBIGtMIGqgBRVQjEX6Q1vH9YU1OnDEy1JDEYplaGBhqSBgzCB
gDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
dG8xJDAiBgNVBAoTG0RvdDJEb3QgQ29tbXVuaWNhdGlvbnMgSW5jLjEMMAoGA1UE
CxQDUiZEMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tggkAzroDcm6UQbcwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYCKJHtZQF7BYeORTnC8yLtzhe
hFg5dM9nrCrf7enCB+w4XwBZilNOdVOMSe0mgDARnRS9SIPND4FRxIFOQw9pnJso
Wa+tZSi9ITU8qo/mbBwqWgU/rSLJidBBMJjhLsFf9wychCLYBUJfJEQNI5645VXh
zlCY+3Xpwx+7JOYSzg==
-----END CERTIFICATE-----

Copy the key and certificate files to the server

  • Locate the WampServer program folder: click the WampServer tray icon, select www directory, and click the Up button in the Windows Explorer window.
  • Navigate down to the Apache configuration folder: bin\apache\Apache2.x.x\conf (replace Apache2.x.x with your Apache version).
  • Create a sub-folder for the server key file (e.g. ssl-key) and copy the server.key file into it.
  • Create a sub-folder for the server certificate file (e.g. ssl-crt) and copy the server.crt file into it.

Note: take steps to prevent unauthorized access to your key file.

Configure Apache

Edit the Apache configuration file

Edit the httpd.conf file, located in the bin\apache\Apache2.x.x\conf sub-folder of your WampServer program folder:

  • Uncomment the following line:
LoadModule ssl_module modules/mod_ssl.so
  • Uncomment the following line:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  • Uncomment the following line:
Include conf/extra/httpd-ssl.conf

Edit the Apache SSL configuration file

This section assumes your WampServer is installed in C:\Applications\wamp; substitute your WampServer program folder path in the values below.

Edit the httpd_ssl.conf file, located in the bin\apache\Apache2.x.x\conf\extra sub-folder of your WampServer program folder (replace Apache2.x.x with your Apache version):

  • Edit the DocumentRoot setting:
DocumentRoot "C:/Applications/wamp/www"
  • Edit the ServerName setting:
ServerName www.mydomain.com:443
  • Edit the ErrorLog setting:
ErrorLog "C:/Applications/wamp/logs/apache_ssl_error.log"
  • Edit the TransferLog setting:
TransferLog "C:/Applications/wamp/logs/ssl_access.log"
  • Edit the SSLCertificateFile setting:
SSLCertificateFile "conf/ssl-crt/server.crt"
  • Edit the SSLCertificateKeyFile setting:
SSLCertificateKeyFile "conf/ssl-key/server.key"
  • Edit the access options for the document root directory:
<Directory "C:/Applications/wamp/www">
    SSLOptions +StdEnvVars
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
  • Edit the access options for the application directory
<Directory "C:/Applications/wamp/www/ad-manager">
    SSLOptions +StdEnvVars
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
  • Edit the CustomLog setting:
CustomLog "C:/Applications/wamp/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Configure PHP

Edit the php.ini file: click the WampServer tray icon and select PHP -> php.ini.

  • Uncomment the following line:
extension=php_openssl.dll

Test the configuration and restart the Apache service

To test the Apache configuration run the following command line (replace Apache2.x.x with your Apache version):

C:\Applications\wamp\bin\apache\Apache2.x.x\bin\httpd -t

Resolve the configuration issues, if any, and restart the Apache service.

Configure Windows Firewall

Enable inbound connections to TCP port 443.

External Links

Wamp2 HTTPS and SSL Setup Step-by-Step guide

Step-by-step: Configuring SSL Under Apache

Apache SSL/TLS Encryption

Wikipedia: HTTPS

Wikipedia: Transport Layer Security

OpenSSL Project

Symantec SSL Certificates

GoDaddy SSL Certificates