Configuring multiple SSL sites
<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration</yambe:breadcrumb>
Configuring mod gnutls so that we can have HTTPS virtual hosts in apache
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.iiit.ac.in, so that we can host any hostname with suffix iiit.ac.in with same certificate.
Installing and configuring mod_gnutls on Cent-OS
- Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
- Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
- rm /usr/lib64/httpd/modules/*tls*
- cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
- Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
- cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
- cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
- cd /usr/lib64/httpd/modules/
- mv libmod_gnutls.so mod_gnutls.so
- Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
- Put
- AddType application/x-x509-ca-cert .crt
- AddType application/x-pkcs7-crl .crl
- in /etc/httpd/conf/httpd.conf
- mkdir -m 0700 /var/cache/mod_gnutls_cache
- chown apache:apache /var/cache/mod_gnutls_cache
- Put
- GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
- GnuTLSCacheTimeout 300
- in /etc/httpd/conf/httpd.conf
- Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like
- NameVirtualHost *:443
- <VirtualHost *:443>
- ServerAdmin a@b.com
- DocumentRoot /home/test1/html
- ServerName test1.barjatiya.com
- ErrorLog logs/test1.barjatiya.com-error_log
- CustomLog logs/test1.barjatiya.com-access_log common
- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile /etc/httpd/conf/test1.pem
- </VirtualHost>
- where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
- Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
- Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf
Configuring apache for SSL virtual-hosting using httpd.conf and ssl.conf modification
To configure SSL virtual-hosting without mod_gnutls one can use following steps:
- Install mod_ssl using 'yum -y install mod_ssl'
- Rename '/etc/httpd/conf.d/ssl.conf' to '/etc/httpd/conf.d/ssl_backup' to effectively disable the configuration
- Edit '/etc/httpd/conf/httpd.conf' file and append following configuration
- LoadModule ssl_module modules/mod_ssl.so
- Listen 443
- SSLPassPhraseDialog builtin
- SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
- SSLSessionCacheTimeout 300
- SSLMutex default
- SSLRandomSeed startup file:/dev/urandom 256
- SSLRandomSeed connect builtin
- SSLCryptoDevice builtin
- NameVirtualHost *:443
- <VirtualHost *:443>
- <Appropriate virtual-host configuration>
- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile <full-path-of-certificate-file>
- SSLCertificateKeyFile <full-path-of-key-file>
- </VirtualHost>
Working of HTTPS
During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
Forcing redirect of all HTTP requests to HTTPS
One can attempt trying to redirect all HTTP requests to HTTPS automatically using:
RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
then it will not work for the first request, which is typically displaying of login page. But if the website supports cookies and remembers login through non-secure cookies then those cookies would end-up being transmitted in plain-text before redirection to HTTPS takes effect.
The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655 Another way using configuration has been used in Forcing HTTPS for redmine
Forcing HTTPS redirection while supporting mod_proxy
Note that this configuration would also break any ProxyPass configurations done to Proxy requests to above server. For example consider two server public-http and issues. If issues server is configured as explained here to redirect all non-https requests as https and public-http server is configured to ProxyPass all requests coming for issues to issues server then this configuration wont work. This is because when public-http passes requests to issues server, issues server will redirect even public-http servers requests to HTTPS. But mod_proxy does not supports HTTPS so it would use HTTP again which would result into infinite loop of redirections.
To solve this one can use following configuration:
RewriteEngine On RewriteCond %{HTTPS} !on RewriteCond %{REMOTE_HOST} !<ip> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
where, <ip> can be replaced with IP of public-http server as seen by issues server. In this case the redirection to HTTPS wont apply when requests are coming from public-http server. For HTTPS security the redirection to HTTPS configuration can be done on public-http server so that it receives requests meant for issues server through HTTPS.
<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration</yambe:breadcrumb>