Ariejan de Vroom – 8 March 2010
352 words in about 2 minutes
Some things need to be secure. Login and registration pages are often among them. This guide will show you how to quickly set-up a SSL site with a self-signed certificate and automatic HTTP-to-HTTPS redirect. This is ideal for setting up staging environments. I’ll assume you have a standard Debian system with the apache2 package installed and ready. The first step is to generate a key. You must choose a passphrase here. We’ll remove that later on for easier Apache2 restarts
1 openssl genrsa -des3 -out server.key 4096
Next, you need to generate a Certificate Sign Request or CSR. Some things to consider:
- Enter the Fully Qualified Domain Name in the Common Name field. For this blog that’d be ‘blog.kabisa.nl’.
- There’s no need to set a challenge password.
1 openssl req -new -key server.key -out server.csr
Next, sign the request with your key.
1 openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Then, create an insecure version of your key. This will remove the pass phrase. If you don’t do this apache will ask for the pass phrase when it loads the key.
1 2 3 openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key
A good place to keep your key and certificate is
/etc/apache2/ssl. Make sure you chmod 600 it for the root user. Okay, setup your VirtualHosts. This example is for a Passenger-powered example app.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost> <VirtualHost *:443> ServerAdmin firstname.lastname@example.org ServerName example.com # SSL Engine Switch SSLEngine on # SSL Cipher Suite: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate SSLCertificateFile /etc/apache2/ssl/server.crt # Server Private Key SSLCertificateKeyFile /etc/apache2/ssl/server.key # Set header to indentify https requests for Mongrel RequestHeader set X-Forwarded-Proto "https" BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 DocumentRoot /var/rails/example/current/public <Directory "/var/rails/example/current/public"> AllowOverride all Allow from all Options -MultiViews </Directory> </VirtualHost>
There is a file name
/etc/apache2/ports.conf that configures which ports apache listen on. Make it look like this:
1 2 3 4 5 6 7 NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> NameVirtualHost *:443 Listen 443 </IfModule>
All set. Now restart apache2 and you should be good to go.