4.3. Initial HTTPS configuration

We can convert the basic configuration into one that supports an HTTPS site. We do this by listening on port 443 in place of port 80, loading the ssl_module, and amending the virtual host definition.

User        wwwrun
Group       www

# Load the modules needed for this file
LoadModule  mime_module        /usr/lib/apache2/mod_mime.so
LoadModule  dir_module         /usr/lib/apache2/mod_dir.so
LoadModule  setenvif_module    /usr/lib/apache2/mod_setenvif.so
LoadModule  log_config_module  /usr/lib/apache2/mod_log_config.so

Options None

# Set up MIME content type recognition
TypesConfig  /etc/mime.types

# Enable default documents for directory queries
DirectoryIndex  index.html

# Setup Logging
LogFormat  "%h %l %u %t \"%r\" %>s %b"  clf

# Listen on port 443 (default https)
Listen  443

# Include the SSL module
LoadModule  ssl_module  /usr/lib/apache2-prefork/mod_ssl.so

<VirtualHost *:443>

  ServerName    www.dept.cam.ac.uk
  DocumentRoot  /srv/www/WWW-SECURE
  CustomLog     /var/log/apache2/www.log  clf

  # Minimal SSL configuration
  SSLEngine  On
  SSLCertificateFile     /etc/apache2/ssl.crt/WWW.crt
  SSLCertificateKeyFile  /etc/apache2/ssl.key/WWW.key


We will need to install this new configuration file, and to ensure that the certificate and key files are in place.

However as things stand there will be a problem: Apache will be unable to access the key since doing so requires the pass phrase. Apache can prompt for the pass phrase if it needs it, but this assumes a human operator will always be available when Apache starts up and this can be inconvenient, for example after a power failure. There are various solutions to this problem (see the SSLPassPhraseDialogue directive), but they all involve storing a copy of the pass phrase somewhere. An alternative solution is to make a single copy of the key without its protecting pass phrase directly into the server's configuration directory. Under Unix, this file only needs to be readable by root and this may represent sufficient protection for many applications. To do this we use openssl's rsa sub-command again.

# cp WWW.crt /etc/apache2/ssl.crt/
# (umask 077; openssl rsa -in WWW.key -out /etc/apache2/ssl.key/WWW.key)
Enter pass phrase for WWW.key:password

After a further restart, we can now access the new secure site.