Configuring SSL under Apache 2 is an interesting experience when you have multiple existing virtual domains using NameVirtualHost and want to support SSL connections to one of those virtual hosts. On Fedora Core 1, I moved a bunch of stuff around while configuring things. I ended up with several files in /etc/httpd/conf.d, including 00ssl.conf which has the global SSL stuff:
LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLCryptoDevice builtin
Taking advantage of the modular configuration layout, I created 01virtual.conf for the majority of the virtual domains. When adding a virtual domain for SSL, I had to go back and change some existing entries. My NameVirtualHost 1.2.3.4 needed a port number. All my virtual hosts needed to be explicitly tied to the aforementioned port.
NameVirtualHost 1.2.3.4:80 #ServerName foo.example.com #ServerName other.example.com
Finally, I added a 99sslvirtual.conf for my virtual domain with a SSL component. You’ll notice the domain is defined for both port 80 and 443. Presently if you wanted to do this for any additional domains, you’d need to define additional ports, such as 444 and so on. For details you might read this article by Rich Bowen.
Additionally I included some mod_rewrite magic to prevent some pages from being accessible without accessing the URL via HTTPS.
NameVirtualHost 1.2.3.4:443 # 1.2.3.4:80 was defined in 01virtual.conf earlierServerName ssl.example.com # SSLEngine on # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key #ServerName ssl.example.com # Force SSL for administration stuff RewriteCond %{SERVER_PORT} !443 RewriteCond %{REQUEST_URI} ^/secret [OR] RewriteCond %{REQUEST_URI} ^/super-secret [OR] RewriteCond %{REQUEST_URI} ^/mylogin.php$ [OR] RewriteCond %{REQUEST_URI} ^/mygallery RewriteRule ^(.*)$ https://ssl.example.com/$1 [R=301,L]
If you want to quickly generate a self signed X.509 certificate, you can follow step 9.8 and then perform step 9.4 to create an unencrypted key for Apache. You’d place the files as /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/ssl.key/server.key respectively for Fedora Core 1’s Apache 2 installation.