Configuring multiple SSL sites

From Notes_Wiki
Revision as of 21:31, 17 June 2021 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>

Configuring apache for SSL virtual-hosting using httpd.conf and ssl.conf modification

To configure SSL virtual-hosting one can use following steps:

  1. Install mod_ssl using 'yum -y install mod_ssl'
  2. Edit '/etc/httpd/conf.d/ssl.conf' and set correct values for: 
    SSLCertificateFile /etc/httpd/conf/ssl.crt
    

    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
    

    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
  3. Edit '/etc/httpd/conf/httpd.conf' file and append following configuration 
    NameVirtualHost *:443
    

    

    <VirtualHost *:443>
    

    

    <Appropriate virtual-host configuration>
    

    

    SSLEngine on
    

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    

    SSLHonorCipherOrder on
    

    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    

    Header always set Strict-Transport-Security "max-age=31536000"
    

    </VirtualHost>


Working of HTTPS

During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04


Configuring mod gnutls for supporting multiple SSL virtualhosts

This is no longer required. mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.

mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.

Installing and configuring mod_gnutls on Cent-OS

  1. Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
  2. Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
  3. rm /usr/lib64/httpd/modules/*tls*
  4. cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
  5. Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
  6. cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
  7. cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
  8. cd /usr/lib64/httpd/modules/
  9. mv libmod_gnutls.so mod_gnutls.so
  10. Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
  11. Put 
    AddType application/x-x509-ca-cert .crt
    

    AddType application/x-pkcs7-crl    .crl
    in /etc/httpd/conf/httpd.conf
  12. mkdir -m 0700 /var/cache/mod_gnutls_cache
  13. chown apache:apache /var/cache/mod_gnutls_cache
  14. Put 
    GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
    

    GnuTLSCacheTimeout 300
    in /etc/httpd/conf/httpd.conf
  15. Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like 
    NameVirtualHost *:443
    

    <VirtualHost *:443>
    

    ServerAdmin a@b.com
    

    DocumentRoot /home/test1/html
    

    ServerName test1.barjatiya.com
    

    ErrorLog logs/test1.barjatiya.com-error_log
    

    CustomLog logs/test1.barjatiya.com-access_log common
    

    SSLEngine on
    

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    

    SSLHonorCipherOrder on
    

    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    

    Header always set Strict-Transport-Security "max-age=31536000"
    

    SSLCertificateFile /etc/httpd/conf/test1.pem
    

    </VirtualHost>
    where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
    Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
  16. Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf


Refer:



<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration|Apache web server configuration</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configuring_multiple_SSL_sites&oldid=5252"