2.75

Apache SSL Configuration - Enabling Apache TLS

Image
Enabling and configuring SSL/TLS Strong Encryption for Apache HTTP/S Server

How to enable SSL/TLS under Apache Web Server

This article presents a minimal configuration for how to enable the Apache SSL/TLS. You can use this article as a base for extending your configurations after you read the Apache Web Server documentation.


A sample configuration for Apache 2.4 SSL/TLS

This article is intended to simply explain how to configure SSL/TLS for Apache Web Server. You are strongly encouraged to read the rest of the SSL documentation, and arrive at a deeper understanding of the material, before progressing to the advanced techniques.

Configuration Hints:

  • to create an SSL server which accepts strong encryption only set the SSLCipherSuite like below:
    SSLCipherSuite HIGH:!aNULL:!MD5
  • another way is to specify a preference for specific speed-optimized cipher like setting the SSLCipherSuite and the SSLHonorCipherOrder as follows:
    SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
  • OCSP Stapling: The Online Certificate Status Protocol (OCSP) is a mechanism for determining whether or not a server certificate has been revoked ; Once general SSL support has been configured properly, enabling OCSP Stapling generally requires only very minor modifications to the httpd configuration:
    SSLUseStapling On
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    
  • if more than a few SSL certificates are used for the server OCSP responses are stored in the SSL stapling cache ; while the responses are typically a few hundred to a few thousand bytes in size, mod_ssl supports OCSP responses up to around 10K bytes in size ; with more than a few certificates, the stapling cache size (32768 bytes in the example above) may need to be increased ; error message AH01929 will be logged in case of an error storing a response
  • if multiple SSL-enabled virtual hosts are configured and OCSP Stapling should be disabled for some Add SSLUseStapling Off to the virtual hosts for which OCSP Stapling should be disabled
  • mod_ssl can log extremely verbose debugging information to the error log, when its LogLevel is set to the higher trace levels ; on the other hand, on a very busy server, level info may already be too much ; remember that you can configure the LogLevel per module to suite your needs

(c) 2022 w3soft.org, license: GPLv3 learning resources for software development and operating systems administration configuration Apache HTTP Server apache conf
Sample Apache Configuration: Enable the SSL Module and Include SSL Configuration in Apache main configuration
## Sample Configuration for Apache HTTP Server v 2.4 @ /etc/apache2/httpd2.conf

## Add the following directives to the apache main configuration

# ...

LoadModule ssl_module modules/mod_ssl.so

# ...

Include /etc/apache2/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# ...

# END


(c) 2022 w3soft.org, license: GPLv3 learning resources for software development and operating systems administration configuration Apache HTTP Server apache conf
Sample Apache SSL configuration using mod_ssl

## Sample (minimal) Configuration for Apache HTTP Server v 2.4 @ /etc/apache2/extra/httpd-ssl.conf
## (c) 2020 w3soft.org

Listen 443

SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM

SSLHonorCipherOrder on

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin

SSLSessionCache          "memcache:127.0.0.1:11211"
SSLSessionCacheTimeout   720

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName localhost:443
ServerAdmin admin@localhost
ErrorLog "/var/www/logs/error_log"
TransferLog "/var/www/logs/access_log"

#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCertificateFile "/etc/apache2/cert.pem"
SSLCertificateKeyFile "/etc/apache2/cert.pem"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "/var/www/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

## END