wiki:ApacheConfig
Last modified 6 years ago Last modified on 03/12/12 14:04:28

Installing

The base package for the Apache httpd web server is called httpd; if you need to compile modules you also need httpd-devel. Precompiled modules packages are named for the module, such as mod_python. If you want it all, try a command such as

yum -y install mod_python mod_perl mod_php mod_ssl httpd httpd-devel

.conf Files

In Red Hat Enterprise Linux the main /etc/httpd/conf/httpd.conf automatically includes any files named *.conf in the /etc/httpd/conf.d/ directory. This makes it easier to install official modules such as PHP, Python, mod_ssl, etc. and also separate out custom local configurations. However, you need to be careful to name only full configuration sections with .conf; other files could be named anything else such as .off or .vhost.

SSL

By default, Red Hat Enterprise Linux ship Apache with a working SSL configuration file, but a fake localhost.crt certificate. If you're not sure where your certificate came from, you can view the issuer of with the following command:

# view 
openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt -issuer | tail -1
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
# for a UW cert output should be:
/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=help@cac.washington.edu

To get a valid certificate, first generate a key (or use your existing one) and a certificate request:

cd /etc/pki/tls/private/
openssl genrsa -out localhost.key 2048
HOST=myhost
FQDN="$HOST.biostr.washington.edu"
openssl req -new -subj "/C=US/ST=WA/O=University of Washington/CN=$FQDN"  -key localhost.key -out localhost.csr

Then go to the certificate provider (such as UW Certificate Services ) and upload the certificate request. When you get notice that the certificate is ready, save it to localhost.crt:

cd /etc/pki/tls/certs/
mv localhost.crt localhost.crt.oldyear
cat > localhost.crt <<EOF
[paste here]
EOF

Finally, create an SSL vhost config like the following and verify the Apache config:

cd /etc/httpd/conf.d/
cat > ssl-vhost.conf <<EOF
# SSL - UW signed certs.cac.washington.edu
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName testsig.biostr.washington.edu 
  ServerAlias 128.95.x.y testsig testsig.biostr
  ServerAlias *.biostr.washington.edu
  DirectoryIndex index.html index.htm index.html.var

  CustomLog combined logs/ssl_access_log
  ErrorLog logs/ssl_error_log

  # allow .htaccess control
  <Directory "/var/www/html">
  AllowOverride All
  </Directory>

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!ADH

  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
  <Files ~ "\.(cgi|shtml)$">
  SSLOptions +StdEnvVars
  </Files>
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>
EOF
# test Apache config
httpd -S

Optionally redirect all non-SSL traffic to your SSL site by adding this to your non-SSL config:

  RedirectMatch ^/?(.*)$ https://testsig.biostr.washington.edu/$1

Now restart Apache, open port 443 in the firewall, and visit https://testsig.biostr.washington.edu in a web browser.

Tomcat passthough

You can configure mod_proxy_ajp to pass certain requests to your webapp. You can even pass all requests through your SSL configuration:

  # redirect root and mywebapps requests to SSL
  RedirectMatch ^(/)?$ https://testsig.biostr.washington.edu/mywebapp/MainMenu

  # in SSL vhost
  ProxyPass /mywebapp/ ajp://localhost:8009/mywebapp/
  RedirectMatch ^/mywebapp/?(.*)$ https://testsig.biostr.washington.edu/mywebapp/$1

Complete vhost example

Below is a complete conf file suitable for dropping in /etc/httpd/conf.d/

# not SSL - do nothing but redirect to secure connection
<VirtualHost *:80>
  ServerName testserver.bmi.iths.org
  ServerAlias testserver.bmi testserver *.bmi.iths.org
  RedirectMatch ^(/)?$ https://testserver.bmi.iths.org/mywebapp/MainMenu
  RedirectMatch ^/mywebapp/?(.*)$ https://testserver.bmi.iths.org/mywebapp/$1
</VirtualHost>

# SSL - UW signed certs.cac.washington.edu
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName testserver.bmi.iths.org
  ServerAlias testserver.bmi testserver *.bmi.iths.org

  # tomcat pass-through
  ProxyPass /mywebapp/ ajp://localhost:8009/mywebapp/
  RedirectMatch ^(/)?$ https://testserver.bmi.iths.org/mywebapp/MainMenu

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  <Files ~ "\.(cgi|shtml)$">
  SSLOptions +StdEnvVars
  </Files>
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

}}}