Apache & SSL

I was recently asked about how to set up SSL on Apache. Here are the steps I took to do it.

Setting Up Apache

Install Apache

bleonard@solaris:~$ sudo pkg install apache-22
               Packages to install:     4
           Create boot environment:    No
               Services to restart:     1
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  4/4     902/902      4.5/4.5

PHASE                                        ACTIONS
Install Phase                              1145/1145 

PHASE                                          ITEMS
Package State Update Phase                       4/4 
Image State Update Phase                         2/2 

Install the Apache Visual Panel

The Apache visual panel is a management interface for Apache.

bleonard@solaris:~$ sudo pkg install panel-apache
               Packages to install:     5
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  5/5     433/433    14.1/14.1

PHASE                                        ACTIONS
Install Phase                                638/638 

PHASE                                          ITEMS
Package State Update Phase                       5/5 
Image State Update Phase                         2/2 

There's a bug that prevents the visual panel from restarting until the desktop is restarted:
bleonard@solaris:~$ sudo svcadm restart gdm

You can then successfully start the visual panel from the System > Administration > Apache Web Server menu.

Start Apache

Select "Enable the Apache web server" and click Apply:

You'll be prompted to authenticate yourself. Enter your Username:

And then select the root role:

Wait while the instance transitions to online. And you're up and running:

Configuring SSL

Getting a Certificate

The key piece needed for secure communication is a certificate. Ideally this certificate would be signed by an authority, such as VeriSign, GoDaddy or Comodo. However, for the purposes of this example, and the fact that I'm not actually setting up a public facing server that can be verified by an authority, we'll be using a self-signed certificate.

O'Reilly has a good article on Configuring SSL Under Apache, which includes a nice explanation of using openssl for creating a self-signed certificate. As well as the steps necessary to get your certificate signed. I won't bother repeating that information here, other than the steps I took to create the self-signed certificate:

oracle@solaris:~$ openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Oracle/OU=Solaris/CN='
Generating a 1024 bit RSA private key
writing new private key to 'server.key'

Configure SSL

Return to the Apache visual panel. Highlight the localhost virtual host and select clone. When prompted, set the domain to securelocalhost:

On the General tab select "Enable this virtual host" and then switch to the SSL tab. Enable SSL, set the IP address and select the certificate and key that were just created:

The select Apply and wait while the server is restarted.

Browse Securely

Try an https connection to your configured IP address. You'll be presented with a fairly scary "This Connection is Untrusted" page:

Under the Technical Details you'll see that the certificate is untrusted because it's self-signed, which we've already addressed.

Select Add Exception and you'll be presented with another dialog to add a security exception:

Select Confirm Security Exception and you'll be securely browsing:

Beyond the Apache Visual Panel

You can disable/enable/restart apache through its SMF interface:

bleonard@solaris:~$ sudo svcadm disable apache2

The apache2 SMF service writes its configuration information out to /etc/vpanels/httpd.conf for Apache to read on startup. You can see the changes that were made by the addition of another virtual host:

SSLEngine on
SSLCertificateFile   /export/home/bleonard/server.crt
SSLCertificateKeyFile   /export/home/bleonard/server.key
DocumentRoot  /var/apache2/2.2/htdocs
<Directory  "/var/apache2/2.2/htdocs" >
Options Indexes Includes FollowSymLinks  SymLinksifOwnerMatch ExecCGI MultiViews
AllowOverride None
Order allow,deny
Allow from all
ServerName   securelocalhost

It's important to note the differences between using the Apache visual panel GUI and the default Apache command line interface. The Apache visual panel stores all of Apache's configuration information in the SMF repository and writes out the httpd.conf configuration file when the service is started, so you can directly edit httpd.conf. The default Apache SMF service, apache22, reads Apache's configuration information from the configuration file at  /etc/apache2/2.2/httpd.conf. So there are two important considerations here:

  1. Don't attempt to start Apache using both SMF interfaces, apache22 (default) and apache2 (visual panel), as it will just create a conflict.
  2. If you're looking to customize Apache beyond what the visual panel interface allows, I would recommend going with the default interface, apache22, and customizing /etc/apache2/2.2/httpd.conf.

Can you verify that pgsql support has been removed from Apache/PHP in Solaris 11 Express?

Posted by Aaron on June 03, 2011 at 08:34 AM GMT #

Hi Aaron, yes, all the PostgreSQL packages have been obsoleted (removed).

Posted by W Brian Leonard on June 14, 2011 at 10:55 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.


« July 2016