Apache & SSL
By Brian Leonard on Jan 28, 2011
I was recently asked about how to set up SSL on Apache. Here are the steps I took to do it.
Setting Up Apache
bleonard@solaris:~$ sudo pkg install apache-22 Packages to install: 4 Create boot environment: No Services to restart: 1 DOWNLOAD PKGS FILES XFER (MB) Completed 4/4 902/902 4.5/4.5 PHASE ACTIONS Install Phase 1145/1145 PHASE ITEMS Package State Update Phase 4/4 Image State Update Phase 2/2
Install the Apache Visual Panel
The Apache visual panel is a management interface for Apache.
bleonard@solaris:~$ sudo pkg install panel-apache Packages to install: 5 Create boot environment: No Services to restart: 2 DOWNLOAD PKGS FILES XFER (MB) Completed 5/5 433/433 14.1/14.1 PHASE ACTIONS Install Phase 638/638 PHASE ITEMS Package State Update Phase 5/5 Image State Update Phase 2/2
There's a bug that prevents the visual panel from restarting until the desktop is restarted:
bleonard@solaris:~$ sudo svcadm restart gdm
You can then successfully start the visual panel from the System > Administration > Apache Web Server menu.
Select "Enable the Apache web server" and click Apply:
And then select the root role:
Wait while the instance transitions to online. And you're up and running:
Getting a Certificate
The key piece needed for secure communication is a certificate. Ideally this certificate would be signed by an authority, such as VeriSign, GoDaddy or Comodo. However, for the purposes of this example, and the fact that I'm not actually setting up a public facing server that can be verified by an authority, we'll be using a self-signed certificate.
O'Reilly has a good article on Configuring SSL Under Apache, which includes a nice explanation of using openssl for creating a self-signed certificate. As well as the steps necessary to get your certificate signed. I won't bother repeating that information here, other than the steps I took to create the self-signed certificate:
oracle@solaris:~$ openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Oracle/OU=Solaris/CN=10.0.2.15' Generating a 1024 bit RSA private key ............++++++ .++++++ writing new private key to 'server.key' -----
Return to the Apache visual panel. Highlight the localhost virtual host and select clone. When prompted, set the domain to securelocalhost:
On the General tab select "Enable this virtual host" and then switch to the SSL tab. Enable SSL, set the IP address and select the certificate and key that were just created:
The select Apply and wait while the server is restarted.
Try an https connection to your configured IP address. You'll be presented with a fairly scary "This Connection is Untrusted" page:
Under the Technical Details you'll see that the certificate is untrusted because it's self-signed, which we've already addressed.
Select Add Exception and you'll be presented with another dialog to add a security exception:
Select Confirm Security Exception and you'll be securely browsing:
Beyond the Apache Visual Panel
You can disable/enable/restart apache through its SMF interface:
bleonard@solaris:~$ sudo svcadm disable apache2
The apache2 SMF service writes its configuration information out to /etc/vpanels/httpd.conf for Apache to read on startup. You can see the changes that were made by the addition of another virtual host:
Listen 10.0.2.15:443 <VirtualHost 10.0.2.15:443> SSLEngine on SSLCertificateFile /export/home/bleonard/server.crt SSLCertificateKeyFile /export/home/bleonard/server.key DocumentRoot /var/apache2/2.2/htdocs <Directory "/var/apache2/2.2/htdocs" > Options Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ServerName securelocalhost </VirtualHost>
It's important to note the differences between using the Apache visual panel GUI and the default Apache command line interface. The Apache visual panel stores all of Apache's configuration information in the SMF repository and writes out the httpd.conf configuration file when the service is started, so you can directly edit httpd.conf. The default Apache SMF service, apache22, reads Apache's configuration information from the configuration file at /etc/apache2/2.2/httpd.conf. So there are two important considerations here:
- Don't attempt to start Apache using both SMF interfaces, apache22 (default) and apache2 (visual panel), as it will just create a conflict.
- If you're looking to customize Apache beyond what the visual panel interface allows, I would recommend going with the default interface, apache22, and customizing /etc/apache2/2.2/httpd.conf.