Configure SSL for Apache2 Web Server on Debian
http://blog.ditatompel.crayoncreative.net/how-to/configure-ssl-for-apache2-web-server-on-debian/
Normal web traffic is sent unencrypted over the Internet. That is, anyone with
access to the right tools can snoop all of that traffic. Obviously, this can
lead to problems, especially where security and privacy is necessary, such as in
credit card data and bank transactions. The Secure Socket Layer is used to
encrypt the data stream between the web server and the web client (the browser).
This section will serve as a very brief introduction to SSL, the Secure Socket
Layer. Cryptography is a very extensive topic which literally fills volumes of
texts. The following is an extremely simplified view of how SSL is implemented
and what part the certificate plays in the entire process. There may be some
small inaccuracies in an effort to present the information in the easiest
possible format.
This guide will assist you with enabling SSL for websites served under the
Apache web server.
I've assumed that you've successfully set up Apache for serving virtual hosts
before.
These steps could be performed via an SSH session to your VPS (or CLI from your
local virtual webserver (localhost) ).
I use my local virtual webserver in this article with :
Server name : crayon.gov
public html dir : /home/ditatompel/public_html
First install openssl if you didn't install it yet
sudo apt-get install openssl
then create ssl directory :
mkdir /home/ditatompel/ssl
cd ssl
Generate a Self-Signed Certificate
You will be asked for several configuration values. Enter values appropriate for
your organization and server, as shown here. This example will create a
certificate valid for 365 days; you may wish to increase this value.
openssl req -new -x509 -days 365 -nodes -out /home/ditatompel/ssl/apache.pem
-keyout /home/ditatompel/ssl/apache.key
OUTPUT
Generating a 1024 bit RSA private key
.++++++
...........................................................................++++
++
writing new private key to 'apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:Central Java
Locality Name (eg, city) []:Semarang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Crayon Indonesia Inc
Organizational Unit Name (eg, section) []:Technology Service
Common Name (eg, YOUR name) []:crayon.gov
Email Address []:
[email protected]
Create and enable the SSL site
I've named ssl file config for my SSL site
sudo nano /etc/apache2/sites-available/ssl
and write down this site configurations
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /home/ditatompel/ssl/apache.pem
SSLCertificateKeyFile /home/ditatompel/ssl/apache.key
ServerAdmin
[email protected]
ServerName crayon.gov
DocumentRoot /home/ditatompel/public_html/
ErrorLog /home/ditatompel/logs/sslerror.log
CustomLog /home/ditatompel/logs/sslaccess.log combined
</VirtualHost>
enable SSL Module for apache and enable the SSL site
sudo a2enmod ssl; a2ensite ssl
then Restart Apache:
sudo /etc/init.d/apache2 restart
You should now be able to visit your site with SSL enabled (after accepting your
browser's warnings about the certificate).
Additional
Mod rewrite
It's always good to force users to access things like webmail via https, this
can be accomplished with mod_rewrite.
First you'll have to enable the module
sudo a2enmod rewrite
Then add the following to /etc/apache2/sites-available/default to force an SSL
connection and redirect all traffic to port 80 to port 443 (HTTPS)
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
