Difference between revisions of "Configuring multiple SSL sites"

From Notes_Wiki
m
m
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]]
=Configuring mod gnutls so that we can have HTTPS virtual hosts in apache=


mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.iiit.ac.in, so that we can host any hostname with suffix iiit.ac.in with same certificate.  
To configure SSL virtual-hosting one can use following steps:
#Install mod_ssl using '<tt>yum -y install mod_ssl</tt>'
#Edit '<tt>/etc/httpd/conf.d/ssl.conf</tt>' and set correct values for:
#:<pre>
#::    SSLCertificateFile /etc/httpd/conf/ssl.crt
#::    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
#::    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
#:</pre>
#Edit '<tt>/etc/httpd/conf/httpd.conf</tt>' file and append following configuration
#:<pre>
#::NameVirtualHost *:443
#::
#::<VirtualHost *:443>
#::
#::    &lt;Appropriate virtual-host configuration&gt;
#::
#::    SSLEngine on
#::    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#::    SSLHonorCipherOrder on
#::    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
#::    Header always set Strict-Transport-Security "max-age=31536000"
#::</VirtualHost>
#:</pre>
 
 
=Working of HTTPS=
 
During a HTTPS communication first a secure channel is established which required exchange of certificates.  In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate.  This is no longer true for modern browsers which support SNI.  Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
 
 
 
=Configuring mod gnutls for supporting multiple SSL virtualhosts=
 
'''This is no longer required.  mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.'''
 
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.  


==Installing and configuring mod_gnutls on Cent-OS==
==Installing and configuring mod_gnutls on Cent-OS==
Line 40: Line 74:
#::    CustomLog logs/test1.barjatiya.com-access_log common
#::    CustomLog logs/test1.barjatiya.com-access_log common
#::    SSLEngine on
#::    SSLEngine on
#::    SSLProtocol all -SSLv2
#::    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#::    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#::    SSLHonorCipherOrder on
#::    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
#::    Header always set Strict-Transport-Security "max-age=31536000"
#::    SSLCertificateFile /etc/httpd/conf/test1.pem
#::    SSLCertificateFile /etc/httpd/conf/test1.pem
#::</VirtualHost>
#::</VirtualHost>
Line 51: Line 87:




=Configuring apache for SSL virtual-hosting using httpd.conf and ssl.conf modification=
Refer:
 
* https://www.mysterydata.com/how-to-get-a-score-rating-in-ssllabs-qualys/
To configure SSL virtual-hosting without mod_gnutls one can use following steps:
#Install mod_ssl using '<tt>yum -y install mod_ssl</tt>'
#Rename '<tt>/etc/httpd/conf.d/ssl.conf</tt>' to '<tt>/etc/httpd/conf.d/ssl_backup</tt>' to effectively disable the configuration
#Edit '<tt>/etc/httpd/conf/httpd.conf</tt>' file and append following configuration
#:<pre>
#::LoadModule ssl_module modules/mod_ssl.so
#::Listen 443
#::SSLPassPhraseDialog  builtin
#::SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
#::SSLSessionCacheTimeout  300
#::SSLMutex default
#::SSLRandomSeed startup file:/dev/urandom  256
#::SSLRandomSeed connect builtin
#::SSLCryptoDevice builtin
#::NameVirtualHost *:443
#::
#::<VirtualHost *:443>
#::
#::    &lt;Appropriate virtual-host configuration&gt;
#::
#::    SSLEngine on
#::    SSLProtocol all -SSLv2
#::    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#::   SSLCertificateFile &lt;full-path-of-certificate-file&gt;
#::    SSLCertificateKeyFile &lt;full-path-of-key-file&gt;
#::</VirtualHost>
#:</pre>
 
 
 
=Working of HTTPS=
 
During a HTTPS communication first a secure channel is established which required exchange of certificates. Since the client has not sent any request yet, server has no idea for which virtual host is the request going to come. Hence only one generic wildcard certificate is returned. After secure channel is established using the wildcard certificate, the client send HTTPS request and server sends HTTPS response. Now based on the domain name present in request appropriate virtual host is contacted and response is sent. Hence we cannot have HTTPS virtual hosts of two different domains on same apache server.
 
 
 
=Forcing redirect of all HTTP requests to HTTPS=
 
One can attempt trying to redirect all HTTP requests to HTTPS automatically using:
<pre>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</pre>
then it will not work for the first request, which is typically displaying of login page.  But if the website supports cookies and remembers login through non-secure cookies then those cookies would end-up being transmitted in plain-text before redirection to HTTPS takes effect.
 
The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655  Another way using configuration has been used in [[Forcing HTTPS for redmine]]
 
 
 
==Forcing HTTPS redirection while supporting mod_proxy==


Note that this configuration would also break any ProxyPass configurations done to Proxy requests to above server.  For example consider two server public-http and issues.  If issues server is configured as explained here to redirect all non-https requests as https and public-http server is configured to ProxyPass all requests coming for issues to issues server then this configuration wont work.  This is because when public-http passes requests to issues server, issues server will redirect even public-http servers requests to HTTPS.  But mod_proxy does not supports HTTPS so it would use HTTP again which would result into infinite loop of redirections.


To solve this one can use following configuration:
<pre>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REMOTE_HOST} !&lt;ip&gt;
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}  [R,L]
</pre>
where, &lt;ip&gt; can be replaced with IP of public-http server as seen by issues server.  In this case the redirection to HTTPS wont apply when requests are coming from public-http server.  For HTTPS security the redirection to HTTPS configuration can be done on public-http server so that it receives requests meant for issues server through HTTPS.


<yambe:breadcrumb self="Configuring mod gnutls">Apache web server configuration</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]]

Latest revision as of 07:21, 6 March 2022

Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites

To configure SSL virtual-hosting one can use following steps:

  1. Install mod_ssl using 'yum -y install mod_ssl'
  2. Edit '/etc/httpd/conf.d/ssl.conf' and set correct values for: 
    SSLCertificateFile /etc/httpd/conf/ssl.crt
    

    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
    

    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
  3. Edit '/etc/httpd/conf/httpd.conf' file and append following configuration 
    NameVirtualHost *:443
    

    

    <VirtualHost *:443>
    

    

    <Appropriate virtual-host configuration>
    

    

    SSLEngine on
    

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    

    SSLHonorCipherOrder on
    

    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    

    Header always set Strict-Transport-Security "max-age=31536000"
    

    </VirtualHost>


Working of HTTPS

During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04


Configuring mod gnutls for supporting multiple SSL virtualhosts

This is no longer required. mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.

mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.

Installing and configuring mod_gnutls on Cent-OS

  1. Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
  2. Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
  3. rm /usr/lib64/httpd/modules/*tls*
  4. cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
  5. Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
  6. cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
  7. cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
  8. cd /usr/lib64/httpd/modules/
  9. mv libmod_gnutls.so mod_gnutls.so
  10. Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
  11. Put 
    AddType application/x-x509-ca-cert .crt
    

    AddType application/x-pkcs7-crl    .crl
    in /etc/httpd/conf/httpd.conf
  12. mkdir -m 0700 /var/cache/mod_gnutls_cache
  13. chown apache:apache /var/cache/mod_gnutls_cache
  14. Put 
    GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
    

    GnuTLSCacheTimeout 300
    in /etc/httpd/conf/httpd.conf
  15. Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like 
    NameVirtualHost *:443
    

    <VirtualHost *:443>
    

    ServerAdmin a@b.com
    

    DocumentRoot /home/test1/html
    

    ServerName test1.barjatiya.com
    

    ErrorLog logs/test1.barjatiya.com-error_log
    

    CustomLog logs/test1.barjatiya.com-access_log common
    

    SSLEngine on
    

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    

    SSLHonorCipherOrder on
    

    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    

    Header always set Strict-Transport-Security "max-age=31536000"
    

    SSLCertificateFile /etc/httpd/conf/test1.pem
    

    </VirtualHost>
    where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
    Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
  16. Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf


Refer:


Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configuring_multiple_SSL_sites&oldid=5418"