Thursday, 9 April 2015

How To Configure Apache With SSL On CentOS 6.4


Securing the Apache server is one of the most important tasks of the webmaster. In this example, we will show you how to use ssl keys with your Apache web server.

Create Certificates
Change to the following directory:
# cd /etc/pki/tls/certs
Run the following command to make server key file:

[root@amir certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
..................+++
..........................................+++
e is 65537 (0x10001)
Enter pass phrase: #give your password here
Verifying - Enter pass phrase: #give your password here
Remove passphrase from private key:
[root@amir certs]#openssl rsa -in server.key -out server.key 
Enter pass phrase for server.key: #give your password here
writing RSA key

Generate CSR key file

[root@amir certs]# make server.csr 

umask 77 ; \
 /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BD
State or Province Name (full name) []:Bangladesh
Locality Name (eg, city) [Default City]: Dhaka
Organization Name (eg, company) [Default Company Ltd]:MCC Ltd.
Organizational Unit Name (eg, section) []:MCC Ltd.
Common Name (eg, your name or your server's hostname) []:Centos6-Unixmen
Email Address []:amirrumee@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #give your password here
An optional company name []: MCCLtd
[root@amir certs]#

Sign the key and make Expiration days:

[root@amir certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 10000
Signature ok
subject=/C=NL/ST=Bangladesh/L= Bangladesh /O=MCC Ltd/OU= MCC Ltd /CN=amir/emailAddress=amirrumee@gmail.com Getting Private key
[root@amir certs]#

Configure SSL keys with Apache 
#yum -y install httpd mod_ssl
Configure  ‘/etc/httpd/conf.d/ssl.conf’
Your ssl.conf should be like this:
  
[root@amir conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep -v "#"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName 127.0.0.1:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@amir conf.d]#
Restart Apache  
Check if  the ports 80 and  443 are listening:
[root@amir conf.d]# netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN
[root@amir conf.d]# netstat -an | grep 80 tcp 0 0 :::80 :::* LISTEN
[root@amir conf.d]#
Allow the ports 80 and 443 via iptables:
vim /etc/sysconfig/iptables
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
Reload and restart iptables
Restart ip tables:
#service iptables restart
Open the browser and Check  https://IP-Address.

Done______

No comments:

Post a Comment