Difference between revisions of "Configuring multiple SSL sites"

From Notes_Wiki
m
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]]
=Configuring mod gnutls so that we can have HTTPS virtual hosts in apache=


mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.iiit.ac.in, so that we can host any hostname with suffix iiit.ac.in with same certificate.  
To configure SSL virtual-hosting one can use following steps:
#Install mod_ssl using '<tt>yum -y install mod_ssl</tt>'
#Edit '<tt>/etc/httpd/conf.d/ssl.conf</tt>' and set correct values for:
#:<pre>
#::    SSLCertificateFile /etc/httpd/conf/ssl.crt
#::    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
#::    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
#:</pre>
#Edit '<tt>/etc/httpd/conf/httpd.conf</tt>' file and append following configuration
#:<pre>
#::NameVirtualHost *:443
#::
#::<VirtualHost *:443>
#::
#::    &lt;Appropriate virtual-host configuration&gt;
#::
#::    SSLEngine on
#::    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#::    SSLHonorCipherOrder on
#::    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
#::    Header always set Strict-Transport-Security "max-age=31536000"
#::</VirtualHost>
#:</pre>
 
 
=Working of HTTPS=
 
During a HTTPS communication first a secure channel is established which required exchange of certificates.  In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate.  This is no longer true for modern browsers which support SNI.  Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
 
 
 
=Configuring mod gnutls for supporting multiple SSL virtualhosts=
 
'''This is no longer required.  mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.'''
 
mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.  


==Installing and configuring mod_gnutls on Cent-OS==
==Installing and configuring mod_gnutls on Cent-OS==
Line 40: Line 74:
#::    CustomLog logs/test1.barjatiya.com-access_log common
#::    CustomLog logs/test1.barjatiya.com-access_log common
#::    SSLEngine on
#::    SSLEngine on
#::    SSLProtocol all -SSLv2
#::    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#::    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#::    SSLHonorCipherOrder on
#::    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
#::    Header always set Strict-Transport-Security "max-age=31536000"
#::    SSLCertificateFile /etc/httpd/conf/test1.pem
#::    SSLCertificateFile /etc/httpd/conf/test1.pem
#::</VirtualHost>
#::</VirtualHost>
Line 51: Line 87:




=Configuring apache for SSL virtual-hosting using httpd.conf and ssl.conf modification=
Refer:
 
* https://www.mysterydata.com/how-to-get-a-score-rating-in-ssllabs-qualys/
To configure SSL virtual-hosting without mod_gnutls one can use following steps:
#Install mod_ssl using '<tt>yum -y install mod_ssl</tt>'
#Rename '<tt>/etc/httpd/conf.d/ssl.conf</tt>' to '<tt>/etc/httpd/conf.d/ssl_backup</tt>' to effectively disable the configuration
#Edit '<tt>/etc/httpd/conf/httpd.conf</tt>' file and append following configuration
#:<pre>
#::LoadModule ssl_module modules/mod_ssl.so
#::Listen 443
#::SSLPassPhraseDialog  builtin
#::SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
#::SSLSessionCacheTimeout  300
#::SSLMutex default
#::SSLRandomSeed startup file:/dev/urandom  256
#::SSLRandomSeed connect builtin
#::SSLCryptoDevice builtin
#::NameVirtualHost *:443
#::
#::<VirtualHost *:443>
#::
#::    &lt;Appropriate virtual-host configuration&gt;
#::
#::    SSLEngine on
#::    SSLProtocol all -SSLv2
#::    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#::    SSLCertificateFile &lt;full-path-of-certificate-file&gt;
#::    SSLCertificateKeyFile &lt;full-path-of-key-file&gt;
#::</VirtualHost>
#:</pre>
 
 
 
=Working of HTTPS=
 
During a HTTPS communication first a secure channel is established which required exchange of certificates.  In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate.  This is no longer true for modern browsers which support SNI.  Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
 
 
 
=Forcing redirect of all HTTP requests to HTTPS=
 
One can attempt trying to redirect all HTTP requests to HTTPS automatically using:
<pre>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</pre>
then it will not work for the first request, which is typically displaying of login page.  But if the website supports cookies and remembers login through non-secure cookies then those cookies would end-up being transmitted in plain-text before redirection to HTTPS takes effect. 
 
The issue is described http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https and http://stackoverflow.com/questions/4070262/how-in-htaccess-can-i-redirect-the-user-to-https-from-http-and-back-again/4071655#4071655  Another way using configuration has been used in [[Forcing HTTPS for redmine]]
 
 
 
==Forcing HTTPS redirection while supporting mod_proxy==


Note that this configuration would also break any ProxyPass configurations done to Proxy requests to above server.  For example consider two server public-http and issues.  If issues server is configured as explained here to redirect all non-https requests as https and public-http server is configured to ProxyPass all requests coming for issues to issues server then this configuration wont work.  This is because when public-http passes requests to issues server, issues server will redirect even public-http servers requests to HTTPS.  But mod_proxy does not supports HTTPS so it would use HTTP again which would result into infinite loop of redirections.


To solve this one can use following configuration:
<pre>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REMOTE_HOST} !&lt;ip&gt;
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}  [R,L]
</pre>
where, &lt;ip&gt; can be replaced with IP of public-http server as seen by issues server.  In this case the redirection to HTTPS wont apply when requests are coming from public-http server.  For HTTPS security the redirection to HTTPS configuration can be done on public-http server so that it receives requests meant for issues server through HTTPS.


<yambe:breadcrumb self="Configuring multiple SSL sites">Apache web server configuration</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring multiple SSL sites]]

Latest revision as of 07:21, 6 March 2022

Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites

To configure SSL virtual-hosting one can use following steps:

  1. Install mod_ssl using 'yum -y install mod_ssl'
  2. Edit '/etc/httpd/conf.d/ssl.conf' and set correct values for:
    SSLCertificateFile /etc/httpd/conf/ssl.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key
    SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
  3. Edit '/etc/httpd/conf/httpd.conf' file and append following configuration
    NameVirtualHost *:443
    <VirtualHost *:443>
    <Appropriate virtual-host configuration>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    Header always set Strict-Transport-Security "max-age=31536000"
    </VirtualHost>


Working of HTTPS

During a HTTPS communication first a secure channel is established which required exchange of certificates. In most cases server has no idea which virtual-host would be communicated with and hence can server only one single HTTPS certificate. This is no longer true for modern browsers which support SNI. Refer https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04


Configuring mod gnutls for supporting multiple SSL virtualhosts

This is no longer required. mod_ssl seems to handle multiple SSL virtual-hosts with different certificates with help of SNI extensions pretty well.

mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.example.com so that we can host any hostname with suffix example.com with same certificate.

Installing and configuring mod_gnutls on Cent-OS

  1. Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
  2. Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
  3. rm /usr/lib64/httpd/modules/*tls*
  4. cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
  5. Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
  6. cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
  7. cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
  8. cd /usr/lib64/httpd/modules/
  9. mv libmod_gnutls.so mod_gnutls.so
  10. Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
  11. Put
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
    in /etc/httpd/conf/httpd.conf
  12. mkdir -m 0700 /var/cache/mod_gnutls_cache
  13. chown apache:apache /var/cache/mod_gnutls_cache
  14. Put
    GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
    GnuTLSCacheTimeout 300
    in /etc/httpd/conf/httpd.conf
  15. Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like
    NameVirtualHost *:443
    <VirtualHost *:443>
    ServerAdmin a@b.com
    DocumentRoot /home/test1/html
    ServerName test1.barjatiya.com
    ErrorLog logs/test1.barjatiya.com-error_log
    CustomLog logs/test1.barjatiya.com-access_log common
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    Header always set Strict-Transport-Security "max-age=31536000"
    SSLCertificateFile /etc/httpd/conf/test1.pem
    </VirtualHost>
    where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem
    Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting
  16. Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf


Refer:


Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring multiple SSL sites