X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Apache & SSL

Guest Author

I was recently asked about how to set up SSL on Apache. Here are the steps I took to do it.

Setting Up Apache

Install Apache

bleonard@solaris:~$ sudo pkg install apache-22
Packages to install: 4
Create boot environment: No
Services to restart: 1
DOWNLOAD PKGS FILES XFER (MB)
Completed 4/4 902/902 4.5/4.5
PHASE ACTIONS
Install Phase 1145/1145
PHASE ITEMS
Package State Update Phase 4/4
Image State Update Phase 2/2

Install the Apache Visual Panel

The Apache visual panel is a management interface for Apache.

bleonard@solaris:~$ sudo pkg install panel-apache
Packages to install: 5
Create boot environment: No
Services to restart: 2
DOWNLOAD PKGS FILES XFER (MB)
Completed 5/5 433/433 14.1/14.1
PHASE ACTIONS
Install Phase 638/638
PHASE ITEMS
Package State Update Phase 5/5
Image State Update Phase 2/2

There's a bug that prevents the visual panel from restarting until the desktop is restarted:
bleonard@solaris:~$ sudo svcadm restart gdm

You can then successfully start the visual panel from the System > Administration > Apache Web Server menu.

Start Apache

Select "Enable the Apache web server" and click Apply:

You'll be prompted to authenticate yourself. Enter your Username:


And then select the root role:

Wait while the instance transitions to online. And you're up and running:

Configuring SSL

Getting a Certificate

The key piece needed for secure communication is a certificate. Ideally this certificate would be signed by an authority, such as VeriSign, GoDaddy or Comodo. However, for the purposes of this example, and the fact that I'm not actually setting up a public facing server that can be verified by an authority, we'll be using a self-signed certificate.

O'Reilly has a good article on Configuring SSL Under Apache, which includes a nice explanation of using openssl for creating a self-signed certificate. As well as the steps necessary to get your certificate signed. I won't bother repeating that information here, other than the steps I took to create the self-signed certificate:

oracle@solaris:~$ openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Oracle/OU=Solaris/CN=10.0.2.15'
Generating a 1024 bit RSA private key
............++++++
.++++++
writing new private key to 'server.key'
-----

Configure SSL

Return to the Apache visual panel. Highlight the localhost virtual host and select clone. When prompted, set the domain to securelocalhost:

On the General tab select "Enable this virtual host" and then switch to the SSL tab. Enable SSL, set the IP address and select the certificate and key that were just created:

The select Apply and wait while the server is restarted.

Browse Securely

Try an https connection to your configured IP address. You'll be presented with a fairly scary "This Connection is Untrusted" page:

Under the Technical Details you'll see that the certificate is untrusted because it's self-signed, which we've already addressed.

Select Add Exception and you'll be presented with another dialog to add a security exception:


Select Confirm Security Exception and you'll be securely browsing:

Beyond the Apache Visual Panel

You can disable/enable/restart apache through its SMF interface:

bleonard@solaris:~$ sudo svcadm disable apache2

The apache2 SMF service writes its configuration information out to /etc/vpanels/httpd.conf for Apache to read on startup. You can see the changes that were made by the addition of another virtual host:

Listen   10.0.2.15:443
<VirtualHost 10.0.2.15:443>
SSLEngine on
SSLCertificateFile /export/home/bleonard/server.crt
SSLCertificateKeyFile /export/home/bleonard/server.key
DocumentRoot /var/apache2/2.2/htdocs
<Directory "/var/apache2/2.2/htdocs" >
Options Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ServerName securelocalhost
</VirtualHost>

It's important to note the differences between using the Apache visual panel GUI and the default Apache command line interface. The Apache visual panel stores all of Apache's configuration information in the SMF repository and writes out the httpd.conf configuration file when the service is started, so you can directly edit httpd.conf. The default Apache SMF service, apache22, reads Apache's configuration information from the configuration file at  /etc/apache2/2.2/httpd.conf. So there are two important considerations here:

  1. Don't attempt to start Apache using both SMF interfaces, apache22 (default) and apache2 (visual panel), as it will just create a conflict.
  2. If you're looking to customize Apache beyond what the visual panel interface allows, I would recommend going with the default interface, apache22, and customizing /etc/apache2/2.2/httpd.conf.

Join the discussion

Comments ( 2 )
  • Aaron Friday, June 3, 2011
    Can you verify that pgsql support has been removed from Apache/PHP in Solaris 11 Express?
  • W Brian Leonard Tuesday, June 14, 2011

    Hi Aaron, yes, all the PostgreSQL packages have been obsoleted (removed).


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.