Inhalt
English (United Kingdom)French (Fr)Deutsch (DE-CH-AT)
Suchen
Login
Wer ist online?
Wir haben 582 Gäste online
Navigation
Home Forum
Aktuell
Featured Articles
Joomla 1.5 Featured Articles
Navigation
Home Forum
English (United Kingdom)French (Fr)Deutsch (DE-CH-AT)
Welcome, Guest
Please Login or Register.    Lost Password?

Install Apache 2.2 web server and make HTTPS work.
(1 viewing) (1) Guest
Go to bottomPage: 1
TOPIC: Install Apache 2.2 web server and make HTTPS work.
#2450
Install Apache 2.2 web server and make HTTPS work. 2020-08-08 23:38, 2 Months, 2 Weeks ago Karma: 0

A note.
I'll mark "pouring of water" with this dull color so you could skip it if you don't want to read too many words.
But basically, here, in these pieces of text, are a definitions of the causes for the problems which appearing when installing Apache HTTPS server.
End of note.

Don't install it if you can, - its installation is broken in few places
There though is no better HTTPS web server alternative known right now to me.

Apache, as of version 2.2, doesn't comply to the requirements of Windows to keep executable files and its data files in a separate places.
Install it to something like "C:\Apache2.2\" instead of anything like "C:\Program Files\Apache Software Foundation\Apache2.2\".
The reason not to install it to "Program Files (x86)" is that the variable "SSLSessionCache" almost cannot be read from config for that directory because the brackets for that variable are used for a different purpose.
The reason not to install it to "Program Files" is that Apache by some odd reason is likely opening its config files not for read only but with other flags too, and such kind of attempts to access the files in "Program Files" folder provokes Windows to create VirtualStore directory for that process and keep all those config files there, and it will be a great inconvenience to you.
Apache is very inflexible in the meaning of its installation directory, thus choose it just once, before installation. Later you will not be able to change it easily, because it will be written everywhere in the config files.

The further consists of two or more steps:

1) Setup HTTP server.
2) Setup HTTPS virtual host.
3) Redirect HTTP to HTTPS and disable HTTP access.


That's it for the less-described things you will collide with.




Installation.




I am using the latest official release which is pretty old, being of 2013-07-10:
"archive.apache.org/dist/httpd/binaries/w...ssl-0.9.8y.msi"

Current versions (like 2.4.43, 2.4.46) aren't being built by Apache themselves and are requiring an appropriate version of VC redistributables to be installed also.
Means they are a somewhat incomplete releases.
Note also that there are (and even the Apache site itself offers them) a "complete server" releases for Windows binaries which might not only appear less hard to install, but make all the explanations below needless.


Install the mentioned file, as I said, to "C:\Apache2.2\".

What are the "Network Domain" and "Server Name" things you are being asked for - is a mystery.
The content of "Network Domain" will go into both current and original versions of files "httpd-info.conf", "httpd-manual.conf", "httpd-vhosts.conf".
The content of "Server Name" input box will go into files "original\httpd.conf", "original\extra\httpd-ssl.conf". Means only to the back-up version of these files (which aren't used). Yep, that part seems broken too
Means the main configuration file "httpd.conf" will not get any content from it.
So, don't worry: you later still will have to review everything, so don't rely on anything of what installer is doing.
Well, at least you can be sure about installation directory, that the server will appear only there and with a properly written configuration relevant to that directory (thank you Apache guys! this part is not broken!).


Stop the service if you installed the server to be run as a service.

Now in "httpd.conf" make basically only one change: change "Listen" to 80 if at installation procedure the server port was chosen as 8080.

Later you may wish to change also "ServerAdmin", "ServerName" and "DocumentRoot", but now it is not necessary.


Now run "httpd.exe" and see if your server works: the command line window of the process should hang without errors, and you must be able to access your (yet empty) site with a browser.


The further explanations will not have any new and special information than other sites have, so you can freely read them at any other place which describes creation of certificates or Apache configuration.
I also further will not put much explanations on what and why, instead bringing you an information about the basic necessary things.




Making HTTPS work.



Modify "httpd.conf" again; uncomment there these two lines:
Code:


LoadModule ssl_module modules/mod_ssl.so


Code:


Include conf/extra/httpd-ssl.conf



Create an SSL encryption private key and a public certificate files.
The ways to do that:
1) Create a self-signed SSL certificate.
2) Use a free service Let's Encrypt to get an encryption certificate.
3) Use a paid service to get an encryption certificate.


Here I'll show only how to make a self-signed SSL certificate.
Using OpenSSL:
Code:


cd /D "%~dp0"
SET OPENSSL_CONF=%~dp0\openssl.cnf
openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache-selfsigned.key -out apache-selfsigned.crt
pause




Copy the created keys and rename if necessary.
Open "httpd-ssl.conf".
Set "SSLCertificateFile" and "SSLCertificateKeyFile" to the .crt and .key files you have (extensions might differ if you want).

Now run "httpd.exe" and your HTTPS server should work.



Redirect HTTP to HTTPS.



(That's an optional but very desirable stuff.)


Add these lines to a configuration file of your desire.
Code:


# HTTP to HTTPS redirect
<VirtualHost *:80>
  ServerName <yourdomain>
  Redirect / https://<yourdomain>
</VirtualHost>



In my case I added that into that same "httpd-ssl.conf" right before line "<VirtualHost _default_:443>".

Note that this method of redirection is only one of a few.
It might work improperly depending on the case, like one when you having multiple domains.




Configure the protocols, their versions and ciphers.



Well, the configuration is already near the best: all protocols are enabled and the worst one(s) are disabled:
Code:


SSLProtocol all -SSLv2


The only way to make it better is to disable some more insecure protocol(s):
Code:


SSLProtocol all -SSLv2 -SSLv3


Here also comes some improvement to the ciphers:
Code:


SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4



That's just an example, - there might be found out even better ways to achieve more security.




Make encryption work faster.




Well, there could be created some Diffie-Hellman group by using:
Code:


openssl.exe dhparam -out dhparam.pem 2048


However, this version of Apache isn't aware of "SSLOpenSSLConfCmd", nor its OpenSSL knows "DHParameters".




Lets do the first step in setting up the site.



Change "DocumentRoot" in "httpd-ssl.conf" to the directory where your site's content will be present.

Make some content in that directory.
Sorry for being banal.
Well, actually you don't even need to have any content there: "mod_autoindex" will do some job anyway, showing you the content of that folder.
Uncomment "httpd-autoindex.conf" and bother with the settings in it somewhat to make the list look like you want.
Well, there actually is nothing to play with: you can't even change how the date is looking, to make it look closer to ISO-8601.
Look for "UseOldDateFormat" to see/read more about that.
The date format is hard-coded in 'ap_set_last_modified()' -> 'apr_rfc822_date()'.

To exclude "403 Forbidden" with error logged as "client denied by server configuration", find this line in "httpd.conf" and change it appropriately:
Code:


<Directory "C:/Apache2.2/htdocs">



You though will not need to change "DocumentRoot" in "httpd.conf", because the value of this one is not used.




Some links where some pieces for this article were taken from.



geekflare.com/apache-setup-ssl-certificate/
geekflare.com/apache-web-server-hardening-security/#5-SSL
www.digitalocean.com/community/tutorials...ache-in-ubuntu-16-04
alexi
alexi
Expert Boarder
Posts: 118
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1