[lug] apache ssl in rh7.1
D. Stimits
stimits at idcomm.com
Wed Apr 25 09:26:56 MDT 2001
charles at lunarmedia.net wrote:
>
> i just recently installed rh7.1 on a machine and found that when i start
> up apache, it doesnt appear to be listening on 443 by default. it seems
> like the ssl statements are in the config, however no ssl files are
> located in the /etc/httpd/ directory.
> with 7.1 is there something else that needs to be done to enable ssl?
>
> thanks-
I haven't set this up in a while, but I think there is some stuff that
needs to be changed in /etc/httpd/conf/httpd.conf. I'll assume you have
ssl ability compiled in (my RH 7.1 beta had it). The files that should
exist are the actual conf file I mentioned above, plus there should be
subdirectories to /etc/httpd/conf/ as follows:
ssl.crl
ssl.crt
ssl.csr
ssl.key
ssl.prm
Some of those will contain the snakeoil sample certificates or keys.
For httpd.conf, the module has to be loaded:
LoadModule ssl_module modules/libssl.so
(this is wrapped in conditionals for IfDefine; the libssl.so itself
should exist, I have copies in /usr/lib/ as well as /usr/lib/apache/)
There is also a conditional for IfDefine that does:
AddModule mod_ssl.c
(I think ssl can also be compiled in and does not necessarily have to be
a module, but seems to be for RH 7.1 beta)
The real config is wrapped similar to this, which you might need to
uncomment some items (soem of these also have options and are don't have
to be exactly this):
<IfDefine HAVE_SSL>
Listen 443
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
There is also some new/added security wrapper feature that fights use of
some directories...I wish I could remember what it was based on. I think
in order to get SSL to work in an individual user's ~/public_html/ there
were some hoops I had to jump through, but I don't recall what it was.
You do need a ScriptAlias or some other means to activate cgi-bin for
addresses of the type http://localhost/cgi-bin/something.cgi, but that
is a separate topic from enabling https. The set of items listed between
<IfDefine HAVE_SSL> and </IfDefine> above should be enough to get it to
listen on the port, but be sure to restart apache after any changes
("/etc/rc.d/init.d/httpd restart").
D. Stimits, stimits at idcomm.com
More information about the LUG
mailing list