DeveloperSide.NET Forums
December 12, 2019, 11:50:03 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Howto: create SSL Sites and Virtual Hosts  (Read 22528 times)
0 Members and 2 Guests are viewing this topic.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« on: April 04, 2010, 08:17:48 PM »

Under Apache, an SSL site is a separate site from the regular (non-ssl) site and requires its own Virtual Host configuration (but it can share the DocumentRoot with the regular site).

To set up an SSL site (under our Suite), you'll need to create a "static" site container with a "static" virtual host configuration, and instead of using port 80 (http), you will use port 443 (https), plus a few extra directives in the VirtualHost block to set up the certificate handling.

Before we begin, there are two issues you have to understand:
A. SSL Virtual Hosts require you to have a dedicated IP address. This IP address cannot be shared with other SSL Virtual Hosts... With 1 IP address, you can run many non-ssl sites and (in addition) exactly 1 SSL site. Two IPs get you two SSL sites. And so on.

B. While you can use our "localhost" ssl certificates, or even create your own "self-signed" certificates for your host.domain.name, the browser will display a warning that you are entering a site with self-signed, and/or mismatched certificates. Your only solution to fix this is to purchase valid certificates.


1. Edit C:\www\Apache22\conf\extra\httpd-ssl.conf
 
Comment out line:
#<VirtualHost _default_:443>
 
And insert right after it:
<VirtualHost 127.0.0.1:443>
 
This way the "localhost" SSL VH will not pick up all the requests going to this system.
 
2. Create C:\www\Apache22\conf\extra\vhosts\_static\mydomain.com-ssl.conf

We will create an ssl Virtual Host for folder/site 'C:/www/vhosts/_static/mydomain.com' and bind it to the LAN IP of 192.168.1.100
 
Code:
<VirtualHost 192.168.1.100:443>
 
 DocumentRoot "C:/www/vhosts/_static/mydomain.com"
 ServerName mydomain.com:443
 ServerAlias www.mydomain.com:443
 
 ErrorLog logs/mydomain.com/error_ssl.log
 TransferLog logs/mydomain.com/access_ssl.log
 
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile conf/ssl.crt/server.crt
 SSLCertificateKeyFile conf/ssl.key/server.key
 
 <Directory "C:\www\vhosts\_static\mydomain.com">
  Options All
  AllowOverride All
  order allow,deny
  Allow from all
 </Directory>
 
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "C:/www/vhosts/_static/mydomain.com/cgi-bin">
     SSLOptions +StdEnvVars
 </Directory>
 
 BrowserMatch ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 
</VirtualHost>

3.
a) Replace the 192.168.1.100 above with your system's public IP address, the LAN IP address (access will only work on the LAN), or any IP address the system has other than 127.0.0.1 (the localhost SSL VH is taking this one).
b) Make sure folder C:\www\Apache22\logs\mydomain.com\ exists. Apache will not create this log folder for you and will throw an error on startup.
c) Make sure mydomain.com and www.mydomain.com resolve to the public IP address of your router or directly to 192.168.1.100 (or the IP you are using).
 
4. Restart Apache.
 
Note that when you go to the https:// URLs, since you are using the default SSL certificates that come with the Suite, you'll get a browser warning about having bad certs.
This is because inside the VH block above, we are referencing ssl certs:  SSLCertificateFile conf/ssl.crt/server.crt and SSLCertificateKeyFile conf/ssl.key/server.key which are just test certs that come with the Suite for localhost and are self-signed.
« Last Edit: April 04, 2010, 08:22:05 PM by admin » Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #1 on: April 04, 2010, 08:31:00 PM »

To create your own self-signed (unauthenticated) key-pair (public certificate, private key) for your host.domain.name, follow the instructions in this Guide:
http://www.devside.net/articles/ssl-key-pair
« Last Edit: April 30, 2010, 02:05:02 PM by admin » Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #2 on: April 04, 2010, 08:59:43 PM »

To create a certificate signing request to be signed by one of the certificate authorities:

The first step is to use OpenSSL to create a private key and a certificate signing request. This will be done from the command line...
Run 'cmd.exe' to bring up the command line. Within, type in:
C:
cd \www\openssl\bin\
openssl req -new -nodes -keyout mydomain.key -out mydomain.csr
 
The last line will generate a file named mydomain.key [the private key] and mydomain.csr [the certificate signing request].
 
This is the info you will be prompted for...
 
Take note that the most important field is the 'Common Name' which is the exact web address of your domain that visitors see... If it's 'www.website.com', input it as that and not as 'website.com'.
Also take note that when asked for 'A challenge password' and 'An optional company name', just leave that blank... and press enter.
 
 
Quote
Generating a 1024 bit RSA private key
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
...
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:City Name
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:Company Name or Unit
Common Name (eg, YOUR name) []:www.website.com
Email Address []:admin@website.com
 
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Now you will need to send the contents of file C:\www\openssl\bin\mydomain.csr to whomever you are getting a certificate from. They will sign it and return the contents of what will become a file named mydomain.crt
 
Once you have received your certificate, we will need to place the key and crt files into the appropriate folders and update the configuration...
 
Enter folder C:\www\openssl\bin\ and move file mydomain.key out and into folder C:\www\Apache22\conf\
Ignore the two files that you have right now under sub-folders ssl.crt\ and ssl.key\ [the old Suite keys used by localhost -- keep them].
Place file mydomain.key into sub-folder ssl.key\
Create file mydomain.crt with the contents of the certificate you have received.
Place file mydomain.crt into sub-folder ssl.crt\
« Last Edit: April 04, 2010, 09:02:25 PM by admin » Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #3 on: April 27, 2010, 05:40:07 PM »

When a certificate is purchased from one of the CAs (certificate authorities: verisign, comodo, godaddy, etc) make sure that you choose to get a private key that is not passphrase encrypted. Otherwise the Apache Service will not be able to start and will log the below entry into the error.log file.

Quote
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/www/Apache22/conf/ssl.key/domain.tld.key)

To remove the passphrase from your private key manually (it does not do anything but get in the way): Run cmd.exe, change to the certificate key folder, and use the openssl binary to remove passphrase...

Code:
c:
cd \www\Apache22\conf\ssl.key
openssl rsa -in domain.tld.key -out domain.tld.nopass.key

This will remove the passphrase from private key named domain.tld.key and store the passphrase-less key into file domain.tld.nopass.key.

Update configuration line to reflect new key file. Restart Apache.
« Last Edit: April 27, 2010, 05:44:33 PM by admin » Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!