For When You Can't Have The Real Thing
[ start | index | login ]
start > Apache > Enable SSL

Enable SSL

Created by dave. Last edited by dave, 69 days ago. Viewed 105 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2019-04-08)

Problem

I want https enabled on the apache installed in my RedHat flavor distribution.

Warning

Note date on this snip -- SSL security options may be out of date!

Solution

# yum install mod_ssl

In /etc/conf.d/ssl remove everything in the <VirtualHost _default_:443> definition and replace it with

<VirtualHost _default_:443>

# This should net you an A+ rating on the qualsys site

SSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCertificateFile /etc/ssl/certs/myzone/system.myzone.crt SSLCertificateKeyFile /etc/ssl/certs/myzone/system.myzone.key SSLCertificateChainFile /etc/ssl/certs/myzone/system.myzone-intermediate.crt SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff

#DocumentRoot "/var/www/html" ServerName my.fqdn.arpa.name

TransferLog logs/ssl_access_log LogLevel warn

<Files ~ ".(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost>

In each virtual host that is going to be served through HTTPS, add this block:

# This should net you an A+ rating on the qualsys site

SSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCertificateFile /etc/ssl/certs/myzone/server.myzone.crt SSLCertificateKeyFile /etc/ssl/certs/myzone/server.myzone.key SSLCertificateChainFile /etc/ssl/certs/myzone/server.myzone-intermediate.crt SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff

Note:

  • for the VirtualHost, "server.myzone" should be the same value that the same VirtualHost ServerName parameter is set to
  • SNI is enabled automatically; different VirtualHosts do not have to share certificate files
  • If you only have one VirtualHost, you can do all your site-specific configuration in the default
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt