Tuesday, June 14, 2011

Enabling SSL in Apache2 on Ubuntu

I'm using my server for various admin interfaces and so want to SSL encrypt all traffic to the web server. This is easy enough to add to the default vhosts.

First, we need an SSL certificate. Create it by running:

openssl req -new -x509 -days 3650 -nodes \
-out /etc/ssl/certs/apacheserver.pem \
-keyout /etc/ssl/private/apacheserver.pem

This generates a self-signed certificate. For tests this is good enough; for production sites you WILL want to use a real purchased certificate. Since one of the jobs of SSL is not only to encrypt, but also to authenticate a site to the user, a self-signed certificate will cause browsers to pop up a warning. Users can (permanently) accept this for your site, but it's probably not the impression you want to leave.

Ubuntu's Apache2 will come with the SSL module installed by default, but it's not used. As our next step, we need to enable it:

a2enmod ssl

Finally, we need to create an SSL virtual host. In my case, I want all http traffic to be simply redirected to https. Find the file /etc/apache2/sites-enabled/000-default and edit it.

Change the existing vhost to listen to Port 443; edit the "VirtualHost" line so it reads:

<VirtualHost *:443>
[...]
</VirtualHost>

(Where [...] is of course the rest of your vhost configuration)

Now, inside the VirtualHost definition we'll need to enable SSL and tell it where the certificate resides:

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ephesus.pem
SSLCertificateKeyFile /etc/ssl/private/ephesus.pem
[...]
</VirtualHost>

Finally, add a new vhost for redirection:

<VirtualHost *:80>
RedirectPermanent / https://server.example.org/
</VirtualHost>

Naturally, https://server.example.org/ should point to your machine's name.

Restart Apache:

/etc/init.d/apache2 restart

And that's all. If you go to http://server.example.org/ you should now be redirected to https://server.example.org

For final reference, here's my configuration. Note that I commented out the Ubuntu documentation (No need to make this available to the big wide world) and cgi-bin (I'm not using this).

<VirtualHost *:80>
RedirectPermanent / https://ephesus.pandemonium.de/
</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ephesus.pem
SSLCertificateKeyFile /etc/ssl/private/ephesus.pem

ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined
# Alias /doc/ "/usr/share/doc/"
# <Directory "/usr/share/doc/">
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order deny,allow
# Deny from all
# Allow from 127.0.0.0/255.0.0.0 ::1/128
# </Directory>

</VirtualHost>

3 comments:

  1. Thanks for the guide im in the process of creating a new local exchange server at are office for internal mail mostly but people will be accessing it from home aswell. So im creating it as a SSL, this has been really helpful almost got it setup and working now thanks to you

    ReplyDelete
  2. While I am building a RESTful app, I was looking hot-to setup my ubuntu dist. This article is great: clear in his scope and explanation.
    I had my SLL apache ready in 5 mins.
    Thanks
    PS:
    here is my conf:

    ServerAdmin webmaster@localhost
    DocumentRoot /media/usb_htdocs/taklia.pro/taklia.dev/services/trunk

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apacheserver.pem
    SSLCertificateKeyFile /etc/ssl/private/apacheserver.pem


    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all




    ServerAlias services.taklia.dev
    RedirectPermanent / https://services.taklia.dev/

    ReplyDelete
  3. […] not configured SSL properly – Firefox was attempting to parse http as https. So I set out to configure SSL and lo and behold, this solved the […]

    ReplyDelete