More LAMP adventures: Setting up SSL on Apache/Ubuntu
Ready to run an SSL server on your Ubuntu install? Here how you do it, in a few easy steps.
We will do this for an Apache2 server configuration on Ubuntu – if you’re using a different flavor of Linux (Debian, Fedora, etc.), many of these instructions are similar. I’ll try to keep track of where the major differences are.
Remember that SSL isn’t the default mode for an Apache server installation. So you have to enable the corresponding module, and also set up an SSL certificate for the server to present.
The first thing you have to do is enable the SSL module. You have to enable the module in Apache (all these commands have to be done with root privileges):
a2enmod ssl a2ensite default-ssl
Check that ssl is now available as a module: apachectl -t -D DUMP_MODULES should return a list of modules that contains ssl_module.
Next, you need to install a certificate that the server will return to identify itself. You can get a certificate signed by a certificate authority, or just use a self-signed certificate if you don’t mind your users seeing a scary-looking security exception in their browsers.
There are plenty of pages describing how to generate these files. Here’s a long-ish tutorial I just found today on a LAMP related website, that has a section on generating these files.
Don’t follow the rest of the instructions on the site – they don’t work. You need to put some of those directives outside the VirtualHost section, otherwise you get a syntax error when you restart your server: SSLRandomSeed cannot occur within <VirtualHost> section, and so on.
Instead, configure your main site’s .conf file as follows (this assumes you are running the same site under both HTTP and HTTPS):
<VirtualHost *:80> Include /etc/apache2/domains/webappsforbeginners.com </VirtualHost> <VirtualHost *:443> Include /etc/apache2/domains/webappsforbeginners.com SSLEngine On SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key <IfModule mime.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfModule> SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost> <IfModule mod_ssl.c> SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm SSLSessionCacheTimeout 600 SSLVerifyClient none SSLProxyEngine off SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM </IfModule>
Want more? Check out this complete set of possible options you can add to your mod_ssl config.