Changes between Initial Version and Version 1 of ApacheConfig


Ignore:
Timestamp:
09/21/06 13:08:20 (13 years ago)
Author:
joshuadf
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ApacheConfig

    v1 v1  
     1== .conf Files ==
     2
     3In RHEL3 and RHEL4, the main /etc/httpd/conf/httpd.conf automatically includes any files named `*.conf` in the
     4`/etc/httpd/conf.d/` directory. This makes it easier to install official modules such as PHP, `mod_python`, etc.
     5and also separate out custom local configurations. However, you need to be careful to name only full configuration
     6sections with `.conf`; other files could be named `.off` or `.vhost`.
     7
     8== SSL ==
     9
     10By default, RHEL3 and RHEL4 ship Apache with a working SSL configuration file, but a fake `server.crt` certificate for `localhost`.
     11(In RHEL5, this process should change somewhat to use the new pki tools.) If you're not sure where your certificate came from, you
     12can view the issuer of with the following command:
     13{{{
     14# view
     15openssl x509 -noout -text -in /etc/httpd/conf/ssl.crt/server.crt -issuer | tail -1
     16/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
     17# for a UW cert output should be:
     18/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=help@cac.washington.edu
     19}}}
     20
     21To get a UW certificate, first generate a key (or use your existing one) and a certificate request:
     22{{{
     23cd /etc/httpd/conf/ssl.key
     24openssl genrsa -out server.key 1024
     25openssl req -new -key server.key -out server.csr
     26}}}
     27Then go to http://certs.cac.washington.edu/ and upload the certificate request. When you get notice that
     28the certificate is ready, save it to `server.crt`:
     29{{{
     30cd /etc/httpd/conf/ssl.crt
     31mv server.crt server.crt.oldyear
     32cat > server.crt <<EOF
     33[paste here]
     34EOF
     35}}}
     36Finally, create an SSL vhost config like the following and verify the Apache config:
     37{{{
     38cd /etc/httpd/conf.d/
     39cat > ssl-vhost.conf <<EOF
     40# SSL - UW signed certs.cac.washington.edu
     41<VirtualHost 128.95.x.y:443>
     42  DocumentRoot /usr/local/data/www/htdocs
     43  ServerName testsig.biostr.washington.edu
     44  ServerAlias 128.95.x.y testsig testsig.biostr
     45  ServerAlias *.biostr.washington.edu
     46  DirectoryIndex index.html index.htm index.html.var
     47
     48  CustomLog combined logs/ssl_access_log
     49  ErrorLog logs/ssl_error_log
     50
     51  SSLEngine on
     52  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
     53  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
     54  <Files ~ "\.(cgi|shtml)$">
     55  SSLOptions +StdEnvVars
     56  </Files>
     57  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
     58
     59</VirtualHost>
     60EOF
     61# test Apache config
     62httpd -S
     63}}}
     64
     65Optionally redirect all non-SSL traffic to your SSL site by adding
     66this to your non-SSL config:
     67{{{
     68  RewriteEngine on
     69  RewriteRule ^/(.*) https://testsig.biostr.washington.edu/$1 [R]
     70}}}
     71
     72Now restart Apache, open port 443 in the firewall, and visit
     73https://testsig.biostr.washington.edu in a web browser.