Difference between revisions of "Configuring multiple SSL sites"
m |
m |
||
Line 97: | Line 97: | ||
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | ||
</pre> | </pre> | ||
then it will not work. The reason being the values would have gone by HTTP before server could redirect client to HTTPS and hence they would get leaked anyway. The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655 Best is to write application to support HTTPS or to redirect HTTP base to HTTPS base and hope application does not breaks the security through various links. | then it will not work. The reason being the values would have gone by HTTP before server could redirect client to HTTPS and hence they would get leaked anyway. The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655 Best is to write application to support HTTPS or to redirect HTTP base to HTTPS base and hope application does not breaks the security through various links. Another way using configuration has been used in [[Forcing HTTPS for redmine]] | ||
<yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb> | <yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb> |
Revision as of 14:58, 25 February 2013
<yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb>
Configuring mod gnutls so that we can have HTTPS virtual hosts in apache
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.iiit.ac.in, so that we can host any hostname with suffix iiit.ac.in with same certificate.
Installing and configuring mod_gnutls on Cent-OS
- Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
- Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
- rm /usr/lib64/httpd/modules/*tls*
- cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
- Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
- cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
- cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
- cd /usr/lib64/httpd/modules/
- mv libmod_gnutls.so mod_gnutls.so
- Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
- Put
- AddType application/x-x509-ca-cert .crt
- AddType application/x-pkcs7-crl .crl
- in /etc/httpd/conf/httpd.conf
- mkdir -m 0700 /var/cache/mod_gnutls_cache
- chown apache:apache /var/cache/mod_gnutls_cache
- Put
- GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
- GnuTLSCacheTimeout 300
- in /etc/httpd/conf/httpd.conf
- Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like
- NameVirtualHost *:443
- <VirtualHost *:443>
- ServerAdmin a@b.com
- DocumentRoot /home/test1/html
- ServerName test1.barjatiya.com
- ErrorLog logs/test1.barjatiya.com-error_log
- CustomLog logs/test1.barjatiya.com-access_log common
- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile /etc/httpd/conf/test1.pem
- </VirtualHost>
- where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
- Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
- Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf
Configuring apache for SSL virtual-hosting using httpd.conf and ssl.conf modification
To configure SSL virtual-hosting without mod_gnutls one can use following steps:
- Install mod_ssl using 'yum -y install mod_ssl'
- Rename '/etc/httpd/conf.d/ssl.conf' to '/etc/httpd/conf.d/ssl_backup' to effectively disable the configuration
- Edit '/etc/httpd/conf/httpd.conf' file and append following configuration
- LoadModule ssl_module modules/mod_ssl.so
- Listen 443
- SSLPassPhraseDialog builtin
- SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
- SSLSessionCacheTimeout 300
- SSLMutex default
- SSLRandomSeed startup file:/dev/urandom 256
- SSLRandomSeed connect builtin
- SSLCryptoDevice builtin
- NameVirtualHost *:443
- <VirtualHost *:443>
- <Appropriate virtual-host configuration>
- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile <full-path-of-certificate-file>
- SSLCertificateKeyFile <full-path-of-key-file>
- </VirtualHost>
Working of HTTPS
During a HTTPS communication first a secure channel is established which required exchange of certificates. Since the client has not sent any request yet, server has no idea for which virtual host is the request going to come. Hence only one generic wildcard certificate is returned. After secure channel is established using the wildcard certificate, the client send HTTPS request and server sends HTTPS response. Now based on the domain name present in request appropriate virtual host is contacted and response is sent. Hence we cannot have HTTPS virtual hosts of two different domains on same apache server.
Forcing redirect of all HTTP requests to HTTPS
One can attempt trying to redirect all HTTP requests to HTTPS automatically using:
RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
then it will not work. The reason being the values would have gone by HTTP before server could redirect client to HTTPS and hence they would get leaked anyway. The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655 Best is to write application to support HTTPS or to redirect HTTP base to HTTPS base and hope application does not breaks the security through various links. Another way using configuration has been used in Forcing HTTPS for redmine
<yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb>