How To Get SSL On My Apache Server?

Discussion in 'Server Operation' started by carlosinfl, Oct 1, 2010.

  1. carlosinfl

    carlosinfl New Member

    So I have a web server running on my Arch Linux server. The document root for my server is the default '/srv/http' directory. My question is how can I force my website to use HTTPS / 443 encryption for my /wiki & /webmail paths? Generally when I go to my website the URL is as follows:

    www.iamghost.com (This is just the main site and runs on port 80)

    www.iamghost.com/wiki (This is just a folder under my docement root '/srv/http/wiki')

    www.iamghost.com/webmail (This too is just another folder under my document root '/srv/http/webmail')

    I would like to use my existing SSL certificates (self signed and generated with openssl) to force the 'wiki' & 'webmail' folders to run on port 443 rather than port 80. I don't know how to do this so I am posting my 'httpd.conf' file below so maybe someone can show or help me add the following entries to get this to work. My public and private SSL keys are stored in '/etc/ssl' and are already working for Postfix on the same server. Just to explain again, my main site www.iamghost.com is fine running on port 80 but when I click on the wiki or webmail links, I would like them to use SSL since logins are required for both. They're both just folders under my document root.

    My 'httpd.conf':

    Code:
    ServerRoot "/etc/httpd"
    
    Listen 80
    
    LoadModule authn_file_module modules/mod_authn_file.so
    LoadModule authn_dbm_module modules/mod_authn_dbm.so
    LoadModule authn_anon_module modules/mod_authn_anon.so
    LoadModule authn_dbd_module modules/mod_authn_dbd.so
    LoadModule authn_default_module modules/mod_authn_default.so
    LoadModule authz_host_module modules/mod_authz_host.so
    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
    LoadModule authz_user_module modules/mod_authz_user.so
    LoadModule authz_dbm_module modules/mod_authz_dbm.so
    LoadModule authz_owner_module modules/mod_authz_owner.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    LoadModule authz_default_module modules/mod_authz_default.so
    LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule auth_digest_module modules/mod_auth_digest.so
    LoadModule file_cache_module modules/mod_file_cache.so
    LoadModule cache_module modules/mod_cache.so
    LoadModule disk_cache_module modules/mod_disk_cache.so
    LoadModule mem_cache_module modules/mod_mem_cache.so
    LoadModule dbd_module modules/mod_dbd.so
    LoadModule dumpio_module modules/mod_dumpio.so
    LoadModule reqtimeout_module modules/mod_reqtimeout.so
    LoadModule ext_filter_module modules/mod_ext_filter.so
    LoadModule include_module modules/mod_include.so
    LoadModule filter_module modules/mod_filter.so
    LoadModule substitute_module modules/mod_substitute.so
    LoadModule deflate_module modules/mod_deflate.so
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule log_forensic_module modules/mod_log_forensic.so
    LoadModule logio_module modules/mod_logio.so
    LoadModule env_module modules/mod_env.so
    LoadModule mime_magic_module modules/mod_mime_magic.so
    LoadModule cern_meta_module modules/mod_cern_meta.so
    LoadModule expires_module modules/mod_expires.so
    LoadModule headers_module modules/mod_headers.so
    LoadModule ident_module modules/mod_ident.so
    LoadModule usertrack_module modules/mod_usertrack.so
    LoadModule unique_id_module modules/mod_unique_id.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule version_module modules/mod_version.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule mime_module modules/mod_mime.so
    LoadModule dav_module modules/mod_dav.so
    LoadModule status_module modules/mod_status.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule asis_module modules/mod_asis.so
    LoadModule info_module modules/mod_info.so
    LoadModule suexec_module modules/mod_suexec.so
    LoadModule cgi_module modules/mod_cgi.so
    LoadModule cgid_module modules/mod_cgid.so
    LoadModule dav_fs_module modules/mod_dav_fs.so
    LoadModule vhost_alias_module modules/mod_vhost_alias.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule imagemap_module modules/mod_imagemap.so
    LoadModule actions_module modules/mod_actions.so
    LoadModule speling_module modules/mod_speling.so
    LoadModule userdir_module modules/mod_userdir.so
    LoadModule alias_module modules/mod_alias.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule php5_module modules/libphp5.so
    
    <IfModule !mpm_netware_module>
    <IfModule !mpm_winnt_module>
    
    User http
    Group http
    
    </IfModule>
    </IfModule>
    
    ServerAdmin postmaster@iamghost.com
    
    ServerName www.iamghost.com:80
    
    DocumentRoot "/srv/http"
    
    <Directory />
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
    
    <Directory "/srv/http">
        
        Options Indexes FollowSymLinks Includes
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    
    <IfModule dir_module>
        DirectoryIndex index.html
    </IfModule>
    
    
    <FilesMatch "^\.ht">
        Order allow,deny
        Deny from all
        Satisfy All
    </FilesMatch>
    
    ErrorLog "/var/log/httpd/error_log"
    
    LogLevel warn
    
    <IfModule log_config_module>
       
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
    
        <IfModule logio_module>
          # You need to enable mod_logio.c to use %I and %O
          LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
        </IfModule>
    
        CustomLog "/var/log/httpd/access_log" common
    
      </IfModule>
    
    <IfModule alias_module>
        
        ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
    
    </IfModule>
    
    <IfModule cgid_module>
        
    </IfModule>
    
    <Directory "/srv/http/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>
    
    DefaultType text/plain
    
    <IfModule mime_module>
      
        TypesConfig conf/mime.types
    
        AddType application/x-compress .Z
        AddType application/x-gzip .gz .tgz
    
    </IfModule>
    
    
    
    Include conf/extra/httpd-multilang-errordoc.conf
    
    Include conf/extra/httpd-autoindex.conf
    
    Include conf/extra/httpd-languages.conf
    
    Include conf/extra/httpd-userdir.conf
    
    Include conf/extra/httpd-default.conf
    
    # Secure (SSL/TLS) connections
    #Include conf/extra/httpd-ssl.conf
    
    Include conf/extra/php5_module.conf
    
    #
    # Note: The following must must be present to support
    #       starting without SSL on platforms with no /dev/random equivalent
    #       but a statically compiled-in mod_ssl.
    #
    <IfModule ssl_module>
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    </IfModule>
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  3. carlosinfl

    carlosinfl New Member

  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    No, it will not prompt for a password.
     
  5. carlosinfl

    carlosinfl New Member

    It didn't work for me and I don't understand what I did wrong or missed. I went to the folder that I wish to force 'https' on and created the .htaccess file and in that file I have the following:

    Code:
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 80 
    RewriteCond %{REQUEST_URI} wiki 
    RewriteRule ^(.*)$ https://www.iamghost.com/wiki/$1 [R,L]
    
    I restarted Apache and tried my site directly:

    https://www.iamghost.com/wiki

    Any clues on what I am doing wrong? I just thought about this but how does Apache even know where to look and find my SSL certificates? It seems like something's missing from that URL. I would expect that I would have to point Apache to the path of my SSL keys stored on the server. At no point have I done this or know where I need to do it.

    Thoughts?
     
    Last edited: Oct 2, 2010
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you post the vhost configuration? Do you have
    Code:
    AllowOverride all
    in it?

    Instead of using an .htaccess file, you can put the directives directly in the vhost configuration.
     
  7. carlosinfl

    carlosinfl New Member

    I posted my current 'httpd.conf' file above and I didn't see any 'vhost' sections listed so I can only assume this is in a separate configuration file on my web server. If you look at my 'httpd.conf' I posted above, you can see that there are entries listed for '/srv/http' that have 'AllowOverride none'.

    Code:
    <[B]Directory "/srv/http"[/B]>
        
        Options Indexes FollowSymLinks Includes
        [B][COLOR="Red"]AllowOverride None[/COLOR][/B]
        Order allow,deny
        Allow from all
    </Directory>
    Do I need to change this and if so, which particular one in my httpd.conf do I need to adjust?

    Secondly, I found a configuration file called '/etc/httpd/conf/extra/httpd-vhosts.conf' and that file has the following:

    Code:
    # Virtual Hosts
    #
    # If you want to maintain multiple domains/hostnames on your
    # machine you can setup VirtualHost containers for them. Most configurations
    # use only name-based virtual hosts so the server doesn't need to worry about
    # IP addresses. This is indicated by the asterisks in the directives below.
    #
    # Please see the documentation at 
    # <URL:http://httpd.apache.org/docs/2.2/vhosts/>
    # for further details before you try to setup virtual hosts.
    #
    # You may use the command line option '-S' to verify your virtual host
    # configuration.
    
    #
    # Use name-based virtual hosting.
    #
    NameVirtualHost *:80
    
    #
    # VirtualHost example:
    # Almost any Apache directive may go into a VirtualHost container.
    # The first VirtualHost section is used for all requests that do not
    # match a ServerName or ServerAlias in any <VirtualHost> block.
    #
    <VirtualHost *:80>
        ServerAdmin webmaster@dummy-host.example.com
        DocumentRoot "/etc/httpd/docs/dummy-host.example.com"
        ServerName dummy-host.example.com
        ServerAlias www.dummy-host.example.com
        ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
        CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerAdmin webmaster@dummy-host2.example.com
        DocumentRoot "/etc/httpd/docs/dummy-host2.example.com"
        ServerName dummy-host2.example.com
        ErrorLog "/var/log/httpd/dummy-host2.example.com-error_log"
        CustomLog "/var/log/httpd/dummy-host2.example.com-access_log" common
    </VirtualHost>
    
    Do I copy any entries from the 'vhosts.conf' file into my 'httpd.conf' file or do I do all my alterations / editing in the 'vhosts.conf' file?

    Thanks for all your help!
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    The vhosts.conf is included in your httpd.conf, so you don't need to copy its contents to httpd.conf.

    If you've found the correct vhost configuration for your site, you can add
    Code:
    AllowOverride all
    to it and restart Apache.
     
  9. carlosinfl

    carlosinfl New Member

    Just to be clear, I have two "DIRECTORIES" in my 'httpd.conf' file and which specifically do I need to edit or do I edit them both?

    Code:
    DocumentRoot "/srv/http"
    
    <Directory />
        Options FollowSymLinks
        AllowOverride All
        Order deny,allow
        Deny from all
    </Directory>
    
    <Directory "/srv/http">
        Options Indexes FollowSymLinks Includes
        AllowOverride All
        Order allow,deny
        Allow from all
    
    </Directory>
    
    Is that how it should look above?

    This is still confusing for me because all my SSL settings are in '/etc/httpd/conf/extra/httpd-ssl.conf'. Nothing pertinent to my site is listed in '/etc/httpd/conf/extra/httpd-vhost.conf'. Do I need add / modify my 'vhost.conf' file? When I simply change the 'AllowOverride All' in my 'httpd.conf' file, it breaks the Wiki URL.
     
    Last edited: Oct 7, 2010
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    No, please edit /etc/httpd/conf/extra/httpd-vhosts.conf, not your httpd.conf.
     

Share This Page