How to configure HTTPS on Apache 2

Introduction

Setting up several VirtualHost’s on an Apache2 server is easy.

Setting up several VirtualHost’s on an Apache 2 server, some of them using SSL (HTTPS) is considerably less easy. The main problem is the documentation, not really easy to find, with examples of such configurations.

Here, we will intend to give all the steps to get there, remaining at a minimal level of complexity.

If you want more details, I suggest you have a look at this nice article by Artur Maj. This is where most of the inspiration comes from for the current article, together with real tests on a Debian Etch server. Thanks to his article, We will allow ourselves to skip the HTTPS, SSL and TLS definitions and prerequisites. We will consider that you have already installed SSL on your server installation, but haven’t enabled it with VirtualHost’s just yet.

Generating a key

To get things started, you will need a key. This key will be used by the VirtualHost you will define, only if you ask it to.
To generate the key, create an ssl directory in your /etc/apache2/ directory (on a Debian Etch, that is)
Then move inside that directory (cd ssl) and do the following:

mkdir crt
mkdir key
openssl req -new -x509 -days 365 -keyout key/vhost1.key -out crt/vhost1.crt -nodes -subj ‘/O=VirtualHost Website Company name/OU=Virtual Host Website department/CN=www.virtualhostdomain.com’

This operation will create two files, crt/vhost1.crt and key/vhost1.key, that you will use in your VirtualHost definition to enable SSL encryption using that key.

Changing the VirtualHost config

Now move on to your Apache sites configuration. In most cases, you should have something like an /etc/apache2/sites-available/ and an /etc/apache2/sites-enabled directory. As sites-enabled should only contain links to sites-available, we are only interested in sites-available. So go there.

Now you should have one default file there, as well as one file that defines the configuration of the VirtualHost you would like to setup to use HTTPS.

Open the default config file. It should start with something like

NameVirtualHost *:80

or

NameVirtualHost *

Either way, change it to:

NameVirtualHost *:80
NameVirtualHost *:443

Now you have just told your webserver to accept both requests on port 443 and 80. *if* you restart your webserver at this point, you should get a warning message saying that no host is using the port 443. This is normal. Now let’s proceed to the config of the VirtualHost itself.

Open your VirtualHost config file. You should have something along the lines of:

<VirtualHost *>
ServerAdmin webmaster@yourdomain.com
DocumentRoot /var/www/vhost1
ServerName vhost1.yourdomain.com
DirectoryIndex index.php
ErrorLog /var/log/apache2/vhost1-error.log
CustomLog /var/log/apache2/vhost1-access.log combined
<Location />
Options Indexes FollowSymLinks
AllowOverride All
</Location>
…
</VirtualHost>

Together with the new config, this should look like that:

<VirtualHost *:80>
ServerAdmin webmaster@yourdomain.com
DocumentRoot /var/www/vhost1
ServerName vhost1.yourdomain.com
DirectoryIndex index.php
ErrorLog /var/log/apache2/vhost1-error.log
<Location />
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@yourdomain.com
DocumentRoot /var/www/vhost1
ServerName vhost1.yourdomain.com
DirectoryIndex index.php
ErrorLog /var/log/apache2/vhost1-error.log
CustomLog /var/log/apache2/vhost1-access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/crt/vhost1.crt
SSLCertificateKeyFile /etc/apache2/ssl/key/vhost1.key
<Location />
SSLRequireSSL On
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
</Location>
…
</VirtualHost>

Now if you restart your web server, you should be able to make it work straight away.

Installing OpenLDAP on Ubuntu 7.10

For professional testing, I needed a test installation of an LDAP server.

This has never been easier on an Ubuntu (and it’s as easy on Debian Etch):

sudo apt-get install slapd

The installer asks you for a password twice (I’ve put “ldap” as it’s just a test install) and then writes a config file in /etc/ldap/slapd.conf and starts the service.

If you go into the config file, you will see that, by default (if it didn’t find any domain name definition) it will put you a cn=admin,dc=nodomain.

To use it easily, why not install phpldapadmin?

sudo apt-get install phpldapadmin

Now get your browser to http://localhost/phpldapadmin/, enter cn=admin,dc=nodomain as a connection string, and the password you gave to the package installer (in my case, ldap) and there you go, full access to your test LDAP directory. Enjoy!

OpenC2C

A few days ago, after talking with Manuel Ruiz Hurtado and Ernesto Quiñones Azcárate in a small meeting to see what was the current status of large e-learning push projects in Peru, I realised the importance of having an e-commerce tool related to course contents for Dokeos and other e-learning systems. E-commerce, yes, but most of all C2C (Customer to Customer or Consumer to Consumer depending on taste), in the likes of e-bay.
Selling an e-learning portal doesn’t go without selling courses, at least for a large company or institution.

At the same time, open-source projects in the field of e-commerce are pretty much limited to b2c (Business to Consumer). OSCommerce or various plugins for Drupal or Joomla are all oriented at B2C whereas I want to develop a product for C2C (Consumer to Consumer) in the sort of e-bay. Apparently, this hasn’t been thought of until now.

So I’ve decided I would dedicate what’s left of my time to develop this project. The objective is to have a first working version ready at the end of May and start implementing it to sell courses.
I also think it would be good to use CakePHP or even better, Akelos, for that, so all that’s missing until now is a plan of action.

Talking about a plan of action, I’m starting to think about the database design for the project. It should manage users and products, as well as amounts of money held for each user, votes, product formats, language and categories…

Open-source essentials:

• A nice name (OpenC2C doesn’t seem to be taken, which is a good start)
• API documentation
• Public website (Sourceforge for starters)
• Clear CSS division/screen map
• 2 basic CSS themes
• Database diagram
• Easy install
• Object-oriented structure

Database-wise

• Each table must have a unique ID/primary key
• Use CakePHP/Akelos naming conventions to avoid problems (alphabetic order, plural names, …)
• Make large tables non-dynamic in size (no varchar)
• Use database layer (at least MySQL and PostgreSQL must be supported)
• Use a timestamp and a user ID for *everything* (maybe use a separate table for that, to make sure the load on the main tables is not too important)

I have started working on this with Akelos and I’m about to finish the initial database structure. After that (and once I understand Akelos a bit better) I will start adding putting all this into the SourceForge SVN account I created for that.