Securing the
Apache server is one of the most important tasks of the webmaster. In this example, we will show you in this Apache HTTP Secure Server Configuration tutorial how to use
ssl keys with your Apache web server on your installed
Centos7 system. this method should also work on all Fedora or Redhat based systems
Create Certificates
Change to the following directory:
[root@server /]# cd /etc/pki/tls/certs
Run the following command to make server key file:
[root@server certs]# make server.key
Remove passphrase from private key:
Writing RSA key
[root@server certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
Generate CSR key file
[root@server certs]# make server.csr
Sign the key and make Expiration days:
[root@server certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 1000
Signature ok
subject=/C=US/ST=AL/L=OLI/O=Hackthesec/OU=Hackthesec Tutorial/CN=server.hackthesec.co.in/emailAddress=info@hackthesec.co.in
Getting Private key
[root@server certs]#
Configure SSL keys with Apache
[root@server certs]# yum -y install httpd mod_ssl
Enable en Start apache
[root@server certs]# systemctl start httpd.service
[root@server certs]# systemctl enable httpd.service
Configure ‘/etc/httpd/conf.d/ssl.conf’
Your ssl.conf should be like this:
[root@server certs]# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
[root@server certs]# vi /etc/httpd/conf.d/ssl.conf
[root@server certs]# vi /etc/httpd/conf.d/ssl.conf
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName 127.0.0.1:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Save and exit
Restart Apache
Check if the ports 80 and 443 are listening:
[root@server certs]# netstat -tulpen | grep :80
[root@server certs]# netstat -tulpen | grep :443
Allow the ports 80 and 443 via Iptables:
[root@server certs]# vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
If you are using Firewalld please do :
[root@server certs]# firewall-cmd --permanent --add-port=80/tcp
[root@server certs]# firewall-cmd --permanent --add-port=443/tcp
And restart or reload the firewalls :
[root@server certs]# service iptables restart
Or
[root@server certs]# firewall-cmd --reload
Open the browser and Check https://server.hackthesec.co.in
Certificate View