How to configure Apache's HTTPS service on CentOS

The Web server uses HTTP by default, which is a plain text protocol. As its name implies, a plain text protocol does not encrypt any form of data in transit. The HTTP-based Web server is very easy to configure, and it has significant security flaws. Any "middleman", through carefully prevented packet sniffers, is able to see the contents of any passing packet. Further, malicious users can even set a fake Web server in the transmission path to impersonate the actual target Web server. In this case, the end user may actually communicate with the impostor server rather than the real destination server. In this way, a malicious user can spoof an end user with a specially crafted form to obtain sensitive information, such as a user name password.

To handle these types of vulnerabilities, most vendors often apply the HTTPS protocol on their Web servers. For a read-only type of Web site, the user can only read the content and does not actually submit any information, HTTP is still a viable option. However, for websites that hold sensitive information, such as when a user needs to log in to get the service of a website, HTTPS is a must. HTTPS can provide the following capabilities for a Web site.

• Ensure that all packets transmitted through the server are encrypted.

• An official digital certificate certificate has been established to make the fake server impossible to impersonate a real server.

The first thing you need to do to build a Web server that supports HTTPS is to obtain a digital certificate. A digital certificate can be obtained in any of the following ways.

1. Self-signed certificates are recommended for testing purposes and personal projects. Self-signed certificates can also be used with service providers, but generally apply to situations where users trust each other. In addition, self-signed certificates are not paid for.

2. Certificates can be provided by community-based certification vendors such as the STARTSSL and CACert approaches. These certificates also do not require money, but are recommended for individual projects.

3. For global business sites, it is recommended to purchase a certificate from a reputable, trusted certification authority. These certificates cost money, but they add to the reputation of the network service provider.

Get ready

In this document, we will use a self-signed certificate. Assume that CentOS has an Apache Web server installed. We need to generate a self-signed certificate using OpenSSL. If OpenSSL is not already installed, it can be installed using Yum.

# yum Install mod_ssl OpenSSL

Generate a self-signed certificate

The following command can be used to generate a self-signed certificate. First, generate a 2048-bit encrypted private key.

# OpenSSL Genrsa-out Ca.key 2048

The certificate signing request (CSR) is then generated.

# OpenSSL Req-new-key ca.key-out CA.CSR

Finally, a self-signed certificate of type X509 is generated.

# OpenSSL x509-req-days 365-in ca.csr-signkey ca.key-out ca.crt

After the certificate is created, copy the file to the corresponding directory.

# cp ca.crt/etc/pki/tls/certs/# cp ca.key/etc/pki/tls/private/# CP ca.csr/etc/pki/tls/private/ 

Configure the Apache Web server

First, modify the following configuration file.

# vim/etc/httpd/conf.d/ssl.conf

# # # Overwrite the following parameters # # #Sslcertificatefile/etc/Pki/Tls/Certs/Ca.CrtSslcertificatekeyfile/etc/Pki/Tls/Private/Ca.Key# # # The following parameter does not need to being modified in case of a self-signed certificate. #### # If You is using a real certificate, you may receive a certificate bundle. The bundle is added using the following parameters # # #Sslcertificatechainfile /etc/PKI/ TLS/certs/example.  COM.  CA-bundle                

Then restart the HTTPD service for the changes to take effect.

# Service httpd Restart

The Web server can now use HTTPS!

Tuning a virtual host

The Apache Web server can be configured as multiple Web sites. These sites are defined as virtual hosts in the httpd configuration file. For example, let's assume that our Apache Web server hosting site is virtual-web.example.com, and all of the files on the site are stored in the/var/www/html/virtual-web directory.
For virtual hosts, this is the typical HTTP configuration.

# vim/etc/httpd/conf/httpd.conf

Namevirtualhost*:80<VirtualHost*:80>     Serveradmin [email protected].documentroot / var/www/html /virtual-web    < Span class= "Typ" >servername virtual- web.. Com</virtualhost>      

We can create an HTTPS virtual host by referring to the configuration above.

# vim/etc/httpd/conf/httpd.conf

Namevirtualhost*:443<VirtualHost*:443>SslengineOnSslcertificatefile/etc/Pki/Tls/Certs/Ca.CrtSslcertificatekeyfile/etc/Pki/Tls/Private/Ca.Key<Directory/Var/Www/Html/Virtual-Web>AllowOverrideAll </directory>     serveradmin [email protected].documentroot /var /www/html/ virtual-webservername  virtual-web.< Span class= "PLN" >example.</virtualhost>      

Each virtual host needs to be defined according to the configuration above. After you add the virtual host, restart the Web service.

# Service httpd Restart

Now the virtual host can use HTTPS!

Optional configuration: Force Apache Web server to always use HTTPS

If for some reason you need the Web server for your site to use only HTTPS, you will need to redirect all HTTP requests (port 80) to HTTPS (port 443). Apache Web server can do this easily.

1, forcing the master to use

If you want to force the master to use HTTPS, we can modify the httpd configuration file as follows:

# vim/etc/httpd/conf/httpd.conf

ServerName www.  Example.  COM:Redirect permanent / HTTPS://www.example.com    

# Service httpd Restart

2, forcing the virtual host

If you want to force HTTPS to be used on a virtual host, you can configure HTTP as follows:

# vim/etc/httpd/conf/httpd.conf

<virtualhost *:80> ServerName virtual-web.example.com Redirect permanent/https://virtual-web.exa mple.com/</VirtualHost>   

# Service httpd Restart

In summary, the security of the server can be improved by the way HTTPS is always recommended when there are interactions such as user login. Certificates can be obtained in a variety of ways, such as self-signed, community-provided, or even commercial organizations that buy enough. The administrator should carefully select the type of certificate that will be used.

How to configure Apache's HTTPS service on CentOS