ApacheConfig - SIG Trac - Trac

Wiki Navigation

Installing

The base package for the Apache httpd web server is called httpd; if you need to compile modules you also need httpd-devel. Precompiled modules packages are named for the module, such as mod_python. If you want it all, try a command such as

yum -y install mod_python mod_perl mod_php mod_ssl httpd httpd-devel

.conf Files

In Red Hat Enterprise Linux the main /etc/httpd/conf/httpd.conf automatically includes any files named *.conf in the /etc/httpd/conf.d/ directory. This makes it easier to install official modules such as PHP, Python, mod_ssl, etc. and also separate out custom local configurations. However, you need to be careful to name only full configuration sections with .conf; other files could be named anything else such as .off or .vhost.

SSL

By default, Red Hat Enterprise Linux ship Apache with a working SSL configuration file, but a fake localhost.crt certificate. If you're not sure where your certificate came from, you can view the issuer of with the following command:

# view 
openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt -issuer | tail -1
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
# for a UW cert output should be:
/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=help@cac.washington.edu

To get a valid certificate, first generate a key (or use your existing one) and a certificate request:

cd /etc/pki/tls/private/
openssl genrsa -out localhost.key 1024
HOST=myhost
FQDN=$HOST.biostr.washington.edu
openssl req -new -subj "/C=US/ST=Washington/O=University of Washington/CN=$FQDN"  -key localhost.key -out localhost.csr

Then go to the certificate provider (for UW http://certs.cac.washington.edu/ ) and upload the certificate request. When you get notice that the certificate is ready, save it to localhost.crt:

cd /etc/pki/tls/certs/
mv localhost.crt localhost.crt.oldyear
cat > localhost.crt <<EOF
[paste here]
EOF

Finally, create an SSL vhost config like the following and verify the Apache config:

cd /etc/httpd/conf.d/
cat > ssl-vhost.conf <<EOF
# SSL - UW signed certs.cac.washington.edu
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName testsig.biostr.washington.edu 
  ServerAlias 128.95.x.y testsig testsig.biostr
  ServerAlias *.biostr.washington.edu
  DirectoryIndex index.html index.htm index.html.var

  CustomLog combined logs/ssl_access_log
  ErrorLog logs/ssl_error_log

  # allow .htaccess control
  <Directory "/var/www/html">
  AllowOverride All
  </Directory>


  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  <Files ~ "\.(cgi|shtml)$">
  SSLOptions +StdEnvVars
  </Files>
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>
EOF
# test Apache config
httpd -S

Optionally redirect all non-SSL traffic to your SSL site by adding this to your non-SSL config:

  RewriteEngine on
  RewriteRule ^/(.*) https://testsig.biostr.washington.edu/$1 [R]

Now restart Apache, open port 443 in the firewall, and visit https://testsig.biostr.washington.edu in a web browser.

Download in other formats:

Plain Text