Enabling HTTPS in Apache
To enable SSL encryption, we need to install OpenSSL and mod-ssl (extension for Apache)
[[email protected] ~]# yum install mod_ssl openssl
We generate our own certificate using OpenSSL, for this
- Generating a private key with 2048-bit encryption
- Generating a CSR certificate request
- We generate a self-signed key for 356 days
[[email protected] ~]# openssl genrsa -out ca.key 2048
[[email protected] ~]# openssl req -new -key ca.key -out ca.csr
[[email protected] ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Move the resulting files to the correct location
[[email protected] ~]# mv ca.crt /etc/pki/tls/certs
[[email protected] ~]# mv ca.key /etc/pki/tls/private/ca.key
[[email protected] ~]# mv ca.csr /etc/pki/tls/private/ca.csr
Update the Apache SSL config file
[[email protected] ~]# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Then you need to restart Apache
[[email protected] ~]# service httpd restart
Configuring virtual hosts
Everything is the same as how you created VirtualHosts for HTTP on 80 port – everything is also for HTTPS at the port 443… A typical virtual host for port 80 looks like this
<VirtualHost *:80>
<Directory /var/www/vhosts/yoursite.com/httpdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
ServerName yoursite.com
</VirtualHost>
To enable ssl you need to add the following at the top of your file
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /var/www/vhosts/yoursite.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
ServerName yoursite.com
</VirtualHost>
And restart Apache
[[email protected] ~]# service httpd restart
Configuring the firewall
We need to open port 443 so that we can connect to the site via https
[[email protected] ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
[[email protected] ~]# /sbin/service iptables save
[[email protected] ~]# iptables -L -v