Apache2 SSL Configuration

Admin

=Apache2 SSL Configuration=

Step 1: Create your own server certificate
I explained this part in this article.

Create_a_signed_server_certificate

Step 2: Save your private key and certificates
After you created your own key and got your server certificate you should save this files in the following directories.

mv server.key /etc/apache2/ssl.key/ mv ca_cert.crt /etc/apache2/ssl.crt/ mv ca.crt /etc/apache2/ssl.crt/

Step 3: Apache2 configuration
Before we create our virtual host we need to change some parameter in the Apache2 config.

Normally Apache2 is only listen on Port 80 for http. To say Apache2 that it also listen on 443 (standard port for https), we need to edit the listen.conf.

vi /etc/apache2/listen.conf

Listen 443 Listen 80             # NameVirtualHost *:80 NameVirtualHost *:443
 * 1)           Listen 443
 * 1) - name-based virtual hosting:

Than you should check that the ssl module is running on Apache2.

a2enmod ssl

If it's not running edit /etc/sysconfig/apache2 and add in the variables "APACHE_MODULES" ssl.

Step 4: Apache2 vhosts configuration
After you changed the listen.conf, we can create the vhosts configuration.

vi /etc/apache2/vhosts.d/test-https.conf

 ServerName testsite.de:443 ServerAdmin test@mpdl.mpg.de       DocumentRoot "/srv/www/htdocs/ssite" ErrorLog /var/log/apache2/ssl_error_log TransferLog /var/log/apache2/ssl_access_log SSLEngine on

SSLCertificateFile /etc/ssl/certs/testseite.de.crt SSLCertificateChainFile /etc/ssl/certs/ca.crt # Your private key for encryption SSLCertificateKeyFile /etc/ssl/private/testseite.de.key #  Certificate Authority (CA): #SSLCACertificateFile /etc/ssl/certs/ca.crt

# Force SSLv3 and TLSv1 Only! SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On       SSLCompression off SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'

 SSLOptions +StdEnvVars   SSLOptions +StdEnvVars  SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log  ssl_combined  Options Indexes AllowOverride None Allow from from all Order allow,deny  

Step 5: Create a test site
mkdir /srv/www/htdocs/ssite vi /srv/www/htdocs/ssite/index.html

Step 6: Test ssl encryption
Make sure you configured the listen.conf /etc/apache2/listen.conf

If you haven't any mistakes in your configuration a restart of Apache2 should run successfully.

rcapache2 restart

Now you can find your site on https://testssite.de

=Apache2 with SNI=

You need SNI to manage more than one https-based domains.

Requirements for SNI

 * Mozilla Firefox 2.0+
 * Opera 8.0+ (TLS 1.1 muss aktiviert sein)
 * Internet Explorer 7+ (Windows Vista oder neuer)
 * Google Chrome (Windows Vista oder neuer)
 * Safari Safari 3.2.1+ auf Mac OS X 10.5.6+ und Windows (Windows Vista oder neuer)
 * Apache 2.2.2.12

If the directive "NameVirtualHost" isn't set in the Apache-Config do it (for example httpd.conf)

Configuration of SNI
NameVirtualHost {IP}:443

To prevent non-SSI-enabled browsers only get a 403 forbidden create the following entry (best in the httpd.conf or in the apache2.conf).:

SSLStrictSNIVHostCheck off

Every Domain has a own configuration. You need to modify the VirtualHost to set it only for the ip adress of this server.


 * old




 * new



If you have done all this steps after the restart of Apache2 SNI should do the work and all https based Domains are available on your browser.

Enable OCSP staplin
SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)


 * It's important to enable OCSP staplin in Configuration (not in VirtualHost)

Enable Header Strict-Transport-Security (HSTS)
Header add Strict-Transport-Security "max-age=15768000" # If you want to protect all subdomains, use the following header # ALL subdomains HAVE TO support HTTPS if you use this! # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
 * 1) Add six earth month HSTS header for all users...

Enable Header Public-Key-Pins (HPKP)
These commands will extract the public key information and encode it in base64.

openssl rsa -in KEYFILE -outform der -pubout | openssl dgst -sha256 -binary | base64

The above command will extract the public key from a private key generated with openssl genrsa, you can replace rsa with dsa for DSA keys.

openssl req -in CSRFILE -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

The above command will extract the public key from a CSR.

openssl x509 -in PEMFILE -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

And the above command here will extract the public key from an existing x509 certificate.

All three of the above commands will generate something similar to below.

writing RSA key cYf9T3Il8DaCnaMaM0LatIAru1vqmcu2JSwS7uvyEB0=


 * 1) Add this to your Vistualhosts

Header always set Public-Key-Pins "pin-sha256=\"cYf9T3Il8DaCnaMaM0LatIAru1vqmcu2JSwS7uvyEB0=\"; pin-sha256=\"BACKUP_PUBLIC_KEY\"; max-age=7776000; report-uri=\"REPORT_URI\""