Many a times, you might want to set up an Apache httpd server as front end that
talks to back end application servers such as Oracle WebLogic or Apache Tomcat. While httpd
acts as a proxy, you might also want to use it as an SSL server. It will ensure that the communication between browser and apache httpd is secure. But, have you
ever thought how easy it is to set up SSL using apache? Believe me, it is really easy. Apache configuration is so
powerful (I agree, sometimes it is painful if you don’t know what you are usingJ) and needs very
minimal configuration.
The minimum things that you would need are: -
a) Server certificate
- Your
browser user can identify which server he/she is connecting to. This is PEM
encoded certificate. If you open the certificate in an editor like notepad, you can see scrambled
text which starts with -----BEGIN CERTIFICATE----- and ends with -----END
CERTIFICATE-----.
b) Private key to decrypt the encrypted data
-
Please make sure that your private key is kept secure. You can use key that use
either RSA or DSA.
c) Certificate chain from your certificate authority
- The
end certificate in the chain will be a root certificate. If you don’t have
the complete chain, SSL might not work.
If you have all the above, then you can easily set up
'one-way' SSL which is otherwise known as 'Server authentication'.
Please see below the snippet that is the minimal configuration required:
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile public.crt
SSLCertificateKeyFile private.key
SSLCertificateChainFile intermediate.crt
</VirtualHost>
The mod_ssl module also allows you to access certain
environment variables which you may use them for debugging purpose. Use the
following line that will allow you to create a separate log file for capturing SSL related
information. You may also decide to switch on logging only in development.
CustomLog logs/ssl_request_log
"%t %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{HTTPS}x %{REFERER}i
%{X-Forwarded-For}i \"%r\" %s %b"
One common issue that every one might face is with
configuring 443 for SSL. you might get an error that is given below: -
(13)Permission denied: AH00072:
make_sock: could not bind to address xx.xxx.xx.xx:443
no listening sockets available,
shutting down
AH00015: Unable to open logs
Please make sure that you have 'root' access which is
required for using standard ports 80 for http and 443 for https.
Hope this information will be useful for you.