Difference between revisions of "Configuring multiple SSL sites"
m |
m |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]] | |||
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *. | To configure SSL virtual-hosting one can use following steps: | ||
#Install mod_ssl using '<tt>yum -y install mod_ssl</tt>' | |||
#Edit '<tt>/etc/httpd/conf.d/ssl.conf</tt>' and set correct values for: | |||
#:<pre> | |||
#:: SSLCertificateFile /etc/httpd/conf/ssl.crt | |||
#:: SSLCertificateKeyFile /etc/httpd/conf/ssl.key | |||
#:: SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem | |||
#:</pre> | |||
#Edit '<tt>/etc/httpd/conf/httpd.conf</tt>' file and append following configuration | |||
#:<pre> | |||
#::NameVirtualHost *:443 | |||
#:: | |||
#::<VirtualHost *:443> | |||
#:: | |||
#:: <Appropriate virtual-host configuration> | |||
#:: | |||
#:: SSLEngine on | |||
#:: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |||
#:: SSLHonorCipherOrder on | |||
#:: SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" | |||
#:: Header always set Strict-Transport-Security "max-age=31536000" | |||
#::</VirtualHost> | |||
#:</pre> | |||
=Working of HTTPS= | |||
During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04 | |||
=Configuring mod gnutls for supporting multiple SSL virtualhosts= | |||
'''This is no longer required. mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.''' | |||
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate. | |||
==Installing and configuring mod_gnutls on Cent-OS== | ==Installing and configuring mod_gnutls on Cent-OS== | ||
Line 40: | Line 74: | ||
#:: CustomLog logs/test1.barjatiya.com-access_log common | #:: CustomLog logs/test1.barjatiya.com-access_log common | ||
#:: SSLEngine on | #:: SSLEngine on | ||
#:: SSLProtocol all -SSLv2 | #:: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
#:: SSLCipherSuite | #:: SSLHonorCipherOrder on | ||
#:: SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" | |||
#:: Header always set Strict-Transport-Security "max-age=31536000" | |||
#:: SSLCertificateFile /etc/httpd/conf/test1.pem | #:: SSLCertificateFile /etc/httpd/conf/test1.pem | ||
#::</VirtualHost> | #::</VirtualHost> | ||
Line 50: | Line 86: | ||
Refer: | |||
* https://www.mysterydata.com/how-to-get-a-score-rating-in-ssllabs-qualys/ | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]] |
Latest revision as of 07:21, 6 March 2022
Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites
To configure SSL virtual-hosting one can use following steps:
- Install mod_ssl using 'yum -y install mod_ssl'
- Edit '/etc/httpd/conf.d/ssl.conf' and set correct values for:
- SSLCertificateFile /etc/httpd/conf/ssl.crt
- SSLCertificateKeyFile /etc/httpd/conf/ssl.key
- SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
- Edit '/etc/httpd/conf/httpd.conf' file and append following configuration
- NameVirtualHost *:443
- <VirtualHost *:443>
- <Appropriate virtual-host configuration>
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
- SSLHonorCipherOrder on
- SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
- Header always set Strict-Transport-Security "max-age=31536000"
- </VirtualHost>
Working of HTTPS
During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
Configuring mod gnutls for supporting multiple SSL virtualhosts
This is no longer required. mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.
Installing and configuring mod_gnutls on Cent-OS
- Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
- Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
- rm /usr/lib64/httpd/modules/*tls*
- cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
- Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
- cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
- cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
- cd /usr/lib64/httpd/modules/
- mv libmod_gnutls.so mod_gnutls.so
- Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
- Put
- AddType application/x-x509-ca-cert .crt
- AddType application/x-pkcs7-crl .crl
- in /etc/httpd/conf/httpd.conf
- mkdir -m 0700 /var/cache/mod_gnutls_cache
- chown apache:apache /var/cache/mod_gnutls_cache
- Put
- GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
- GnuTLSCacheTimeout 300
- in /etc/httpd/conf/httpd.conf
- Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like
- NameVirtualHost *:443
- <VirtualHost *:443>
- ServerAdmin a@b.com
- DocumentRoot /home/test1/html
- ServerName test1.barjatiya.com
- ErrorLog logs/test1.barjatiya.com-error_log
- CustomLog logs/test1.barjatiya.com-access_log common
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
- SSLHonorCipherOrder on
- SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
- Header always set Strict-Transport-Security "max-age=31536000"
- SSLCertificateFile /etc/httpd/conf/test1.pem
- </VirtualHost>
- where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
- Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
- Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf
Refer:
Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites