On June 7, 2011 9:41 , Sunil Rao <parle...@yahoo.com> wrote:
- What operating system or OS distribution are you running? What version?
Apache Details:
Server version: Apache/2.2.15 (Unix)
Server built: Jun 6 2011 16:10:26
OS Version: Linux 2.6.32-100.28.11.el6.x86_64
- Are you compiling Apache HTTP Server from source, or are you using a package
built for you by someone else? If a package built for you by someone else,
what package and version?
httpd-2.2.15.tar
If you were using a package for Apache HTTP Server provided as a part of
the Linux distribution you were running (Debian, Fedora, ...) then there
would be a good chance that some of the mod_ssl configuration would have
been done for you already by the package maintainers and/or that
documentation on how to configure HTTPS would be available that was
specific to the Linux distribution you are using.
However, what your write above sounds like you have compiled Apache HTTP
Server yourself, instead of using a package provided by your Linux
distribution. In this case, you should consider using the latest
version, 2.2.19, rather than an old version.
I looked around, but did not find any step-by-step
non-distribution-specific configuration examples for recent versions of
Apache HTTP Server. (Does anyone else who is reading this know of
any?) So you should rely on the Apache documentation for setting up and
configuring HTTPS for your server:
Configuration directives: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Other topics: http://httpd.apache.org/docs/2.2/ssl/
To give you an example to work from, here is my configuration for
mod_ssl. I'm running Apache HTTP Server 2.3.12 under Fedora 14 x86_64,
but hopefully this will work for 2.2.x under other distributions as
well. Note that this is for serving static, non-proxied content over
HTTPS. I recommend that you get something like this working first, and
once you understand mod_ssl better, only then work on adding proxy
functionality.
Before attempting to use the example below, you should generate and
install the SSL private key file
(/etc/pki/tls/private/www.example.com.key in the example below, although
the file name and location will be different on your system) and
certificate (/etc/pki/tls/certs/www.example.com.cert). You should also
install the root and/or intermediate certificate of the certification
authority which signed your certificate (/etc/pki/tls/certs/CA.pem); in
your case, these would be the appropriate Verisign root and/or
intermediate certificates.
Make sure that the key is readable only by root (assuming that you are
starting your web server as the root user) but that the certificate and
CA chain file are readable by the user that the web server serves
requests as. Then make sure that you are able to verify the certificate
locally on your web server -- if this doesn't work, then you won't be
able to get mod_ssl working:
openssl verify -verbose -CAfile /etc/pki/tls/certs/CA.pem -purpose
sslserver /etc/pki/tls/certs/www.example.com.cert
You should get output saying that the certificate is OK.
Here is how I have mod_ssl configured in my httpd.conf file:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(1024000)
SSLSessionCacheTimeout 600
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADH:!MD5
Listen 443
<VirtualHost *:443>
ServerName www.example.com:443
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www.example.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/CA.pem
<Directory />
SSLRequireSSL
</Directory>
<Directory /var/www/htdocs>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I hope this helps. If this isn't what you were asking for, if it's not
clear, or if you encounter problems, please ask more specific questions,
including detailed information (configuration, error log entries,
symptoms, ...) regarding the situation you are encountering.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
