Skip to main content

Configure SSL on Apache

Requirements

  1. Private key from CA like for your domain i.e. *.igrafxdemo.com
  2. Intermediate keyfile i.e. igrafxdemo_intermediate.crt

Note the above filenames are for visualization only, you need to use your own key and intermediate files.

Steps

Convert the .pfx file using OpenSSL.

openssl pkcs12 -in igrafxdemo_wildcard.pfx -clcerts -nokeys -out igrafxdemo.com.cer openssl pkcs12 -in igrafxdemo_wildcard.pfx -nocerts -nodes -out igrafxdemo.com.key

Move them to the apache machine into the appropriate folder.

sudo mkdir /etc/apache2/ssl sudo mv ~/igrafxdemo.com.cer /etc/apache2/ssl/ sudo mv ~/igrafxdemo.com.key /etc/apache2/ssl/ sudo mv ~/igrafxdemo_intermediate.crt /etc/apache2/ssl/

Enable the SSL module on apache, we also enable the rewrite module as we want all http traffic to be routed to https.

sudo a2enmod ssl sudo a2enmod rewrite sudo service apache2 restart

Open the SSL configuration file

sudo vi /etc/apache2/mods-available/ssl.conf

Change SSLCipherSuite and SSLProtocol paramteres to the following values.

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLProtocol all -SSLv3

Open a proxy configuration file.

sudo vi /etc/apache2/sites-available/igxus.igrafxdemo.com.conf

Change your configuration to match the rewrite and SSL changes.

<VirtualHost *:81> ServerAdmin beta@igrafx.com ServerName igxus.igrafxdemo.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog ${APACHE_LOG_DIR}/error_proxy_IGXUS.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access_proxy.log combined </VirtualHost> <VirtualHost *:443> ServerAdmin beta@igrafx.com ServerName igxus.igrafxdemo.com ProxyPass /icons ! ProxyPass /logs ! SSLEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLProxyEngine On SSLCertificateChainFile /etc/apache2/ssl/igrafxdemo_intermediate.crt SSLCertificateFile /etc/apache2/ssl/igrafxdemo.com.cer SSLCertificateKeyFile /etc/apache2/ssl/igrafxdemo.com.key ProxyRequests Off ProxyPreserveHost Off <Proxy */manager/*> Order deny,allow Deny from all Allow from 50.43.107.10 </Proxy> ProxyPass / http://172.16.250.174:8080/ ProxyPassReverse / http://172.16.250.174:8080/ </LocationMatch> DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error_proxy_IGXUS_SSL.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access_proxy_SSL.log combined </VirtualHost>

Reload the configuration to take effect.

sudo service apache2 reload restart