wiki:ApacheConfig

Version 1 (modified by joshuadf, 13 years ago) (diff)

--

.conf Files

In RHEL3 and RHEL4, the main /etc/httpd/conf/httpd.conf automatically includes any files named *.conf in the /etc/httpd/conf.d/ directory. This makes it easier to install official modules such as PHP, mod_python, etc. and also separate out custom local configurations. However, you need to be careful to name only full configuration sections with .conf; other files could be named .off or .vhost.

SSL

By default, RHEL3 and RHEL4 ship Apache with a working SSL configuration file, but a fake server.crt certificate for localhost. (In RHEL5, this process should change somewhat to use the new pki tools.) If you're not sure where your certificate came from, you can view the issuer of with the following command:

# view 
openssl x509 -noout -text -in /etc/httpd/conf/ssl.crt/server.crt -issuer | tail -1
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
# for a UW cert output should be:
/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=help@cac.washington.edu

To get a UW certificate, first generate a key (or use your existing one) and a certificate request:

cd /etc/httpd/conf/ssl.key
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr

Then go to http://certs.cac.washington.edu/ and upload the certificate request. When you get notice that the certificate is ready, save it to server.crt:

cd /etc/httpd/conf/ssl.crt
mv server.crt server.crt.oldyear
cat > server.crt <<EOF
[paste here]
EOF

Finally, create an SSL vhost config like the following and verify the Apache config:

cd /etc/httpd/conf.d/
cat > ssl-vhost.conf <<EOF
# SSL - UW signed certs.cac.washington.edu
<VirtualHost 128.95.x.y:443>
  DocumentRoot /usr/local/data/www/htdocs
  ServerName testsig.biostr.washington.edu 
  ServerAlias 128.95.x.y testsig testsig.biostr
  ServerAlias *.biostr.washington.edu
  DirectoryIndex index.html index.htm index.html.var

  CustomLog combined logs/ssl_access_log
  ErrorLog logs/ssl_error_log

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  <Files ~ "\.(cgi|shtml)$">
  SSLOptions +StdEnvVars
  </Files>
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>
EOF
# test Apache config
httpd -S

Optionally redirect all non-SSL traffic to your SSL site by adding this to your non-SSL config:

  RewriteEngine on
  RewriteRule ^/(.*) https://testsig.biostr.washington.edu/$1 [R]

Now restart Apache, open port 443 in the firewall, and visit https://testsig.biostr.washington.edu in a web browser.