This is going to turn into another one of my “I love package management” posts. When I first starting managing Linux servers with Apache, adding a new module to Apache required going back to the source code, remembering the configure parameters you compiled Apache with last time, configuring Apache again with the same parameters plus whatever changes need to be made, compiling, testing, and then installing. It took hours. Now, it takes a few minutes to add something like mod_ssl support to Apache without having to compile anything.
I first need to install the mod_ssl library.
yum install mod_ssl
If you are using a different package manager, such as apt, you can run a similar command. The important part is that you can easily install mod_ssl with your package manager rather than having to recompile Apache.
There are a variety of different ways to configure Apache to load the necessary SSL options. Also, these options may need to be changed or tweaked for your setup. That said, here is how I configured my server.
My httpd.conf includes all the files from conf.d/*.conf. I took advantage of this and created a conf.d/ssl.conf file. My ssl.conf file contains the following:
LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLCryptoDevice builtin ServerName ssl.domain.com DocumentRoot /home/site/html ScriptAlias /cgi-bin /home/site/cgi-bin SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/conf/ssl/ssl.crt/ssl.domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl/ssl.key/ssl.domain.com.key SSLCertificateChainFile /etc/httpd/conf/ssl/ssl.crt/godaddy_intermediate_bundle.crt SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /home/site/logs/access.log combined
The two lines at the top are extremely important. The first line actually loads the mod_ssl module. The second line tells the server to listen on port 443 (the default port for SSL and allows access using https).
Notice the SSLCertificateChainFile directive. This loads the chain certificate that was given to me by GoDaddy, the SSL provider I used. If you don’t load your provider’s chain file properly (if necessary), your SSL will not function.
I also have a sample file that you can use to create your own ssl.conf file. It contains comments that can help you understand all the options.
Once you’ve made your config changes, you need to ask Apache if everything is set up correctly. You can do so by running the following command:
service httpd configtest
Unless that command commands back with “Syntax OK”, you have a problem. Unless you know what the error means and how to fix it, the best thing to do is to copy the error and search for it in Google. That will be the quickest way of finding a solution.
For example, if I remove that first line in my ssl.conf, mod_ssl won’t load and I get the following error if I test my config:
Syntax error on line 8 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration
Searching around for “Invalid command ‘SSLPassPhraseDialog'” produces some results that indicate that the mod_ssl module isn’t loaded correctly.
Another common error message is:
httpd: Syntax error on line 210 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/ssl.conf: Can't locate API module structure `mod_ssl' in file /etc/httpd/modules/mod_ssl.so: /etc/httpd/modules/mod_ssl.so: undefined symbol: mod_ssl
This is a common mistake where you try to load the mod_ssl module in the old Apache 1 config method rather than the new Apache 2 method. The old method looks like:
LoadModule mod_ssl modules/mod_ssl.so
The correct config line would be:
LoadModule ssl_module modules/mod_ssl.so
Now that you have Apache configured, it’s time to open up port 443 on your firewall. I’m using iptables, so my instructions will be specific to it.
The easiest way to open up the port immediately is to run the following:
iptables -A INPUT -p tcp -m tcp --dport https -j ACCEPT
This will immediately open up that port on your system. However, this change is only temporary, and a restart of iptables or of your server will remove this rule.
Making the rule permanent on your system is completely dependent upon your own personal setup. I have seen hundreds of different ways that people have set up their persistent firewall rules. I like to create a service that makes it easy to load, clear, and reload my firewall rules. Firewall management is beyond the scope of this topic, so I will do a firewall post and then link to it so that you can see how I manage my own firewall rules.
Now all that is left is to enjoy your new secure site.
Did I help you? Send me a tip.