This is going to turn into another one of my “I love package management” posts. When I first starting managing Linux servers with Apache, adding a new module to Apache required going back to the source code, remembering the configure parameters you compiled Apache with last time, configuring Apache again with the same parameters plus whatever changes need to be made, compiling, testing, and then installing. It took hours. Now, it takes a few minutes to add something like mod_ssl support to Apache without having to compile anything.

Installing

Once again, my server is running CentOS x64 5.2, and I’m using yum to do package management. Thus, the following instruction may need to be modified for your specific system.

I first need to install the mod_ssl library.

yum install mod_ssl

If you are using a different package manager, such as apt, you can run a similar command. The important part is that you can easily install mod_ssl with your package manager rather than having to recompile Apache.

Configuring Apache

There are a variety of different ways to configure Apache to load the necessary SSL options. Also, these options may need to be changed or tweaked for your setup. That said, here is how I configured my server.

My httpd.conf includes all the files from conf.d/*.conf. I took advantage of this and created a conf.d/ssl.conf file. My ssl.conf file contains the following:

LoadModule ssl_module modules/mod_ssl.so
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  512
SSLRandomSeed connect builtin

SSLCryptoDevice builtin
ServerName ssl.domain.com

DocumentRoot /home/site/html

ScriptAlias /cgi-bin /home/site/cgi-bin

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/httpd/conf/ssl/ssl.crt/ssl.domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/ssl.key/ssl.domain.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/ssl.crt/godaddy_intermediate_bundle.crt

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /home/site/logs/access.log combined

The two lines at the top are extremely important. The first line actually loads the mod_ssl module. The second line tells the server to listen on port 443 (the default port for SSL and allows access using https).

Notice the SSLCertificateChainFile directive. This loads the chain certificate that was given to me by GoDaddy, the SSL provider I used. If you don’t load your provider’s chain file properly (if necessary), your SSL will not function.

I also have a sample file that you can use to create your own ssl.conf file. It contains comments that can help you understand all the options.

Once you’ve made your config changes, you need to ask Apache if everything is set up correctly. You can do so by running the following command:

service httpd configtest

Unless that command commands back with “Syntax OK”, you have a problem. Unless you know what the error means and how to fix it, the best thing to do is to copy the error and search for it in Google. That will be the quickest way of finding a solution.

For example, if I remove that first line in my ssl.conf, mod_ssl won’t load and I get the following error if I test my config:

Syntax error on line 8 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration

Searching around for “Invalid command ‘SSLPassPhraseDialog'” produces some results that indicate that the mod_ssl module isn’t loaded correctly.

Another common error message is:

httpd: Syntax error on line 210 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/ssl.conf: Can't locate API module structure `mod_ssl' in file /etc/httpd/modules/mod_ssl.so: /etc/httpd/modules/mod_ssl.so: undefined symbol: mod_ssl

This is a common mistake where you try to load the mod_ssl module in the old Apache 1 config method rather than the new Apache 2 method. The old method looks like:

LoadModule mod_ssl modules/mod_ssl.so

The correct config line would be:

LoadModule ssl_module modules/mod_ssl.so

Configure Firewall

Now that you have Apache configured, it’s time to open up port 443 on your firewall. I’m using iptables, so my instructions will be specific to it.

The easiest way to open up the port immediately is to run the following:

iptables -A INPUT -p tcp -m tcp --dport https -j ACCEPT

This will immediately open up that port on your system. However, this change is only temporary, and a restart of iptables or of your server will remove this rule.

Making the rule permanent on your system is completely dependent upon your own personal setup. I have seen hundreds of different ways that people have set up their persistent firewall rules. I like to create a service that makes it easy to load, clear, and reload my firewall rules. Firewall management is beyond the scope of this topic, so I will do a firewall post and then link to it so that you can see how I manage my own firewall rules.

Now all that is left is to enjoy your new secure site.

Did I help you?