Skip to main content

Apache - HTTPS Configuration - Ubuntu


One of my friend wanted to enable SSL for apache, just like Tomcat which I have blogged earlier.

Creating Certificate and Certificate-Key
First lets create a certificate and Key for our Apache webserver.
Lets create directory in /etc/apache2/ssl where is the new directory.


ahmed@ubuntu:/etc/apache2/ssl$ sudo openssl req -new -x509 -days 365 -keyout vhost1.key -out vhost1.crt -nodes -subj '/O=Test India/OU=IT/CN=swift.test.com'


Generating a 1024 bit RSA private key
..................................++++++
.++++++
writing new private key to 'vhost1.key'
-----
ahmed@ubuntu:/etc/apache2/ssl$ ls
vhost1.crt vhost1.key

Once we have the Crt/Key created now lets Add port 443 to our configuration as Apache by default accepts Port 80.

Add information in Port.conf (/etc/apache2/ports.conf)
You will see that we have only NameVirtualHost *:80 and No 443 is available, so add NameVirtualHost *:443 to this like below.


NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>


Update - default-ssl information in file path below
ahmed@ubuntu:/etc/apache2/sites-available$ ls
default default-ssl
ahmed@ubuntu:/etc/apache2/sites-available$ pwd
/etc/apache2/sites-available
ahmed@ubuntu:/etc/apache2/sites-available$


# Enable/Disable SSL for this virtual host.
SSLEngine on


# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile /etc/apache2/ssl/vhost1.crt
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /etc/apache2/ssl/vhost1.key


Now lets create a link in the sites-enable directory.

ahmed@ubuntu:/etc/apache2/sites-enabled$ ls -l
total 0
lrwxrwxrwx 1 root root 26 2012-03-01 22:23 000-default -> ../sites-available/default
lrwxrwxrwx 1 root root 30 2012-03-01 22:26 000-default-ssl -> ../sites-available/default-ssl
ahmed@ubuntu:/etc/apache2/sites-enabled$ pwd
/etc/apache2/sites-enabled
ahmed@ubuntu:/etc/apache2/sites-enabled$

Make sure the server is ssl enabled.

ahmed@ubuntu:/etc/apache2/ssl$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
ahmed@ubuntu:/etc/apache2/ssl$ sudo service apache2 restart
* Restarting web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
... waiting .apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[ OK ]

Comments

Popular posts from this blog

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server ...

Installing Zabbix Version 2.4 Offline (Zabbix Server without Internet).

There might be situations where you have a remote/zabbix server which does not have internet connectivity, due to security or other reasons. So we create a custom repo on the remote/zabbix server so that we can install zabbix using rpms Here is how we are planning to do this. Download all the dependency rpms on a machine which has internet connection, using yum-downloadonly or repotrack . Transfer all the rpms to the remote server. Create a repo on the remote server. Update yum configuration. Install. NOTE: This method can be used to install any application, but here we have used zabbix as we had this requirement for a zabbix server. Download dependent rpms . On a machine which has internet connection install the package below. And download all the rpms . Make sure the system are similar (not required to be identical - At-least the OS should be of same version) mkdir /zabbix_rpms yum install yum-downloadonly Downloading all the rpms to location /zabbix_rpms/ ,...

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD ldap_access_filter (string) If using access_provider = ldap , this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com Prerequisites yum install sssd Single LDAP Group Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com Multiple LDAP Groups Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com)) ldap_access_filter accepts standa...