Ariejan de Vroom – 8 March 2010
352 words in about 2 minutes

Some things need to be secure. Login and registration pages are often among them. This guide will show you how to quickly set-up a SSL site with a self-signed certificate and automatic HTTP-to-HTTPS redirect. This is ideal for setting up staging environments. I’ll assume you have a standard Debian system with the apache2 package installed and ready. The first step is to generate a key. You must choose a passphrase here. We’ll remove that later on for easier Apache2 restarts

1
openssl genrsa -des3 -out server.key 4096

Next, you need to generate a Certificate Sign Request or CSR. Some things to consider:

1
openssl req -new -key server.key -out server.csr

Next, sign the request with your key.

1
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Then, create an insecure version of your key. This will remove the pass phrase. If you don’t do this apache will ask for the pass phrase when it loads the key.

1
2
3
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

A good place to keep your key and certificate is /etc/apache2/ssl. Make sure you chmod 600 it for the root user. Okay, setup your VirtualHosts. This example is for a Passenger-powered example app.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<VirtualHost *:80>
  ServerName example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin support@example.com
  ServerName example.com

  # SSL Engine Switch
  SSLEngine on

  # SSL Cipher Suite:
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  # Server Certificate
  SSLCertificateFile /etc/apache2/ssl/server.crt

  # Server Private Key
  SSLCertificateKeyFile /etc/apache2/ssl/server.key

  # Set header to indentify https requests for Mongrel
  RequestHeader set X-Forwarded-Proto "https"

  BrowserMatch ".*MSIE.*" 
  nokeepalive ssl-unclean-shutdown 
  downgrade-1.0 force-response-1.0

  DocumentRoot /var/rails/example/current/public
  <Directory "/var/rails/example/current/public">
    AllowOverride all
    Allow from all
    Options -MultiViews
  </Directory>
 </VirtualHost>

There is a file name /etc/apache2/ports.conf that configures which ports apache listen on. Make it look like this:

1
2
3
4
5
6
7
NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

All set. Now restart apache2 and you should be good to go.

Ariejan de Vroom

Software Engineer • CodeRetreat Facilitator • Ruby, Go and C Programmer • Electronics Apprentice