Chapter 4. Configuring Apache to support TLS

Table of Contents
4.1. Basic Apache configuration
4.2. Virtual hosts and HTTPS
4.3. Initial HTTPS configuration
4.4. Tuning the configuration
4.5. Working around browser bugs
4.6. Logging
4.7. Doing HTTP and HTTPS for the same hostname
4.8. Client Certificates

Two major versions of Apache are in current use

Apache version 1 with mod_ssl and Apache version 2 are both roughly equivalent in function as far as TLS is concerned, this course happens to use Apache version 2.2. Configuration directives used by Apache-SSL are similar but different in detail.

Red Hat Linux, Fedora and SuSE Linux include copies of Apache with TLS support. Versions of Red Hat Linux prior to version 8 include Apache 1 and mod_ssl, later versions of Red Hat Linux include Apache 2, as does Fedora. SuSE Linux provides both Apache 1 with mod_ssl and Apache 2 in version 9 and Apache 2 only in subsequent versions. Other Linux and Unix systems may be similar. It is also possible to build Apache 1 with mod_ssl, or Apache 2, from source, see or for details of requirements and procedures.

Apache for Windows can be built from source, but requires the commercial Microsoft Visual C++ compiler, version 5.0 or above. The Apache foundation make pre-built versions of Apache for Windows available, but at the moment these do not include TLS support. Binary copies of Apache for Windows including TLS support can sometimes be found with a web search - at present copies appear to be being maintained at and

The examples that follow were taken from a Linux machine ruining SuSE Linux Enterprise Edition 10. Other Unix installations may differ slightly, for example in the paths used, but should be substantially the same. A Windows Apache installation will also be very similar, with obvious changes to pathnames and file locations. SLES includes SSL and TLS support for Apache inside the main apache2 package. In other Linux distributions the necessary support is sometimes in a seperate package, oftern called mos_ssl.

4.1. Basic Apache configuration

We need to build a configuration file that will instruct Apache to offer a HTTPS services. We start with a simple configuration that is just sufficient to provide a basic service over standard HTTP.

User        wwwrun
Group       www

# Load the modules needed for this file
LoadModule  mime_module        /usr/lib/apache2/
LoadModule  dir_module         /usr/lib/apache2/
LoadModule  setenvif_module    /usr/lib/apache2/
LoadModule  log_config_module  /usr/lib/apache2/

Options None

# Set up MIME content type recognition
TypesConfig  /etc/mime.types

# Enable default documents for directory queries
DirectoryIndex  index.html

# Setup Logging
LogFormat  "%h %l %u %t \"%r\" %>s %b"  clf

# Listen on port 80 (default http)
Listen  80

<VirtualHost *:80>

  DocumentRoot  /srv/www/WWW
  CustomLog     /var/log/apache2/www.log  clf


If we copy this configuration into place and restart Apache we should be able to access the site.

# cp conf.01 /etc/apache2/httpd.conf
# /etc/init.d/apache2 start