HTTPS
---------
A Secure Apache HTTPS Server With SSL
# yum -y install openssl mod_ssl cyrus*
Create SSL Certificates
Create own-created SSL Certificates. However, If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.
[root@www ~]# cd /etc/pki/tls/certs
[root@www certs]# make server.key
umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ... ... e is 65537 (0x10001)
Enter pass phrase:# set passphrase
Verifying - Enter pass phrase:# confirm
# remove passphrase from private key
[root@www certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
writing RSA key
[root@www certs]# make server.csr
umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Dhaka
Locality Name (eg, city) [Default City]:Dhaka
Organization Name (eg, company) [Default Company Ltd]:World Communication Network Ltd.
Organizational Unit Name (eg, section) []:worldcm.net
Common Name (eg, your name or your server's hostname) []:mail.worldcm.netmail Address []: admin@worldcm.net
A challenge password []:world OR Enter
An optional company name []: worldcm OR Enter
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world
Getting Private key
-----------------
Configure httpd for SSL/TLS.
[root@www ~]# yum install mod_ssl openssl
[root@www ~]# vi /etc/httpd/conf.d/ssl.conf
# line 59: uncomment
DocumentRoot "/var/www/html"
# line 60: uncomment and specify the server name
ServerName www.worldcm.net:443
# line 75: change
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
# line 100: change to the one got in [1]
SSLCertificateFile /etc/pki/tls/certs/server.crt
# line 107: change to the one got in [1]
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
# line 116: change to the one got in [1]
SSLCertificateChainFile /etc/letsencrypt/live/www.worldcm.net/chain.pem
[root@www ~]# systemctl restart httpd
[3] If you'd like to set HTTP connection to redirect to HTTPS (Always on SSL/TLS), configure each Virtualhost like follows.
It's OK to set it in [.htaccess] not in httpd.conf.
[root@www ~]# vi /etc/httpd/conf.d/vhost.conf
<VirtualHost *:80>
DocumentRoot /var/www/html
ServerName www.worldcm.net
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
[root@www ~]# systemctl restart httpd
----------------- --X ----------------------------
Configure SSL.
[root@www ~]# yum -y install mod_ssl
[root@www ~]# vi /etc/httpd/conf.d/ssl.conf
# line 59: uncomment
DocumentRoot "/var/www/html"
# line 60: uncomment and specify the server name
ServerName www.srv.world:443
# line 100: change to the one created in [1]
SSLCertificateFile /etc/pki/tls/certs/server.crt
# line 107: change to the one created in [1]
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
[root@www ~]# systemctl restart httpd
[root@dlp ~]# firewall-cmd --add-service=https --permanent
success
[root@dlp ~]# firewall-cmd --reload
success
This section will walk you through setting up a secure HTTPS connection using SSL on Apache.
Install SSL
In order to secure Apache, you need to install SSL first.
You can install SSL using the following command:
sudo yum install mod_ssl openssl
Generate A Self-Signed Certificate
First, you need to generate a private key ca.key with 2048-bit encryption.
sudo openssl genrsa -out ca.key 2048
Then generate the certificate signing request cs.csr using the following command.
sudo openssl req -new -key ca.key -out ca.csr
You will be prompted for information about the certificate.
Finally, generate a self-signed certificate ca.crt of X509 type valid for 365 keys.
sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
After creating the certificate, you need to copy all of the certificate files to the necessary directories.
You can do this by running the following commands:
sudo cp ca.crt /etc/pki/tls/certs/ sudo cp ca.key /etc/pki/tls/private/ sudo cp ca.csr /etc/pki/tls/private/
Set Up The Certificates
All the certificates are ready. The next thing to do is to set up Apache to display the new certificates.
You can do this by editing the SSL config file:
sudo nano /etc/httpd/conf.d/ssl.conf
Find the section that begins with <VirtualHost _default_:443>. Uncomment the DocumentRoot and ServerName line and replace example.com with your server's IP address.
DocumentRoot "/var/www/html" ServerName 192.168.1.42:443
Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates.
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key
After making these changes, restart Apache service for the changes to take effect.
sudo systemctl restart httpd
Test The Secure Apache HTTPS Server
To verify that the secure Apache HTTPS web server is working, open your web browser and go to your server's IP Address with the url https://your.server.ip.address.
-----------