Apache2 SSL in Ubuntu

From LinodeWiki

Contents 1 Apache2 SSL 1.1 Install packages 1.2 Generate the certificate 1.3 Enable the SSL module 1.4 Listen to port 443 1.5 Create and enable the SSL site 1.6 Mod rewrite

[edit] Apache2 SSL

This guide will help you setup SSL with apache2. Note: This manual applies to ubuntu versions prior to Ubuntu Feisty (7.04). The apache2-ssl-certificate script used in this manual isn't included anymore starting from Feisty. Please check the official Ubuntu documentation: https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration for instructions how to setup apache2 with SSL.

[edit] Install packages

First make sure all needed packages are installed.

sudo apt-get install apache2 libapache-mod-ssl

Note: libapache-mod-ssl is not an ubuntu package anymore since see https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration

[edit] Generate the certificate

Create a certificate which is valid for one year.

sudo apache2-ssl-certificate -days 365

[edit] Enable the SSL module

sudo a2enmod ssl

[edit] Listen to port 443

sudo bash
echo "Listen 443" >> /etc/apache2/ports.conf

[edit] Create and enable the SSL site

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Modify it so it looks something like this

NameVirtualHost *:443
<virtualhost *:443>
       ServerAdmin webmaster@localhost

       SSLEngine On

1. Use pem instead of key in order not to be prompted for password.
2. Point where your crt and pem is stored as well.

       SSLCertificateFile    /etc/apache2/ssl/certs/apache.crt
       SSLCertificateKeyFile /etc/apache2/apache-ssl/apache.pem

       DocumentRoot /var/www/
       <directory />
               Options FollowSymLinks
               AllowOverride None
       </directory>

       <directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               # This directive allows us to have apache2's default start page
               # in /apache2-default/, but still have / go to the right place
               # Commented out for Ubuntu
               #RedirectMatch ^/$ /apache2-default/
       </directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.log combined
       ServerSignature On

   Alias /doc/ "/usr/share/doc/"
   <directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </directory>

</virtualhost>

...and enable it

sudo a2ensite ssl

[edit] Mod rewrite

It's always good to force users to access things like webmail via https, this can be accomplished with mod_rewrite.

First you'll have to enable the module

sudo a2enmod rewrite

Then add the following to /etc/apache2/sites-available/default

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]
RewriteLog      "/var/log/apache2/rewrite.log"
RewriteLogLevel 2

If you want to force an SSL connection and redirect all traffic to port 80 to port 443 (HTTPS), use this instead:

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Don't forget to restart apache

 sudo /etc/init.d/apache2 force-reload

Original Link: Apache2 SSL [1]