Linux Apps Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
Apache Configuration for HTTPS Protocol
This section provides a tutorial example on how to install Web server certificates and configure Apache HTTP Server to support the HTTPS protocol.
If you have obtained your Web server certificate, associated private key, and CA certificates, you are ready to follow this tutorial to configure your Apache HTTP Server on a CentOS 8 system to support the HTTPS protocol.
1. Bundle CA certificates into a single CA certificate chain file. This can be done by concatenating CA certificates in PEM format into a single file. For example:
herong$ cat intermediate-ca-cert.pem root-ca-cert.pem > ca-chain-cert.pem herong$ more ca-chain-cert.pem -----BEGIN CERTIFICATE----- MIIOQjCCDSqgAwIBAgIQD00WsSXPnIao38PGBD5icDANBgkqhkiG9w0BAQsFADBw ... cPUeybQ= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs ... ykn9M6o+
2. Install Web server certificate, associated private key, and CA certificates under the system directory /etc/pki/tls.
herong$ sudo cp herongyang-key.pem /etc/pki/tls/private/ herong$ sudo cp herongyang-cert.pem /etc/pki/tls/certs/ herong$ sudo cp ca-chain-cert.pem /etc/pki/tls/certs/
3. Set SELinux context properties on certificate and key files. This is to ensure that the Web server program can access these files.
herong$ sudo chcon -u system_u /etc/pki/tls/certs/herongyang-cert.pem herong$ sudo chcon -u system_u /etc/pki/tls/certs/ca-chain-cert.pem ls -lZ /etc/pki/tls/certs/ -r--r--r--. 1 root root system_u:object_r:cert_t:s0 herongyang-cert.pem -r--r--r--. 1 root root system_u:object_r:cert_t:s0 ca-chain-cert.pem herong$ sudo chcon -u system_u /etc/pki/tls/private/herongyang-key.pem ls -lZ /etc/pki/tls/private/ -r--------. 1 root root system_u:object_r:cert_t:s0 herongyang-key.pem
4. Verify "IncludeOptional" setting in Apache HTTP Server configuration file httpd.conf. The output shows that httpd.conf is extended to include all *.conf files in the /etc/httpd/conf.d directory.
herong$ sudo grep -i -r "IncludeOptional" /etc/httpd/ /etc/httpd/conf/httpd.conf:IncludeOptional conf.d/*.conf herong$ sudo ls -l /etc/httpd/conf.d -rw-r--r--. 1 root root 2926 Mar 12 2021 autoindex.conf -rw-r--r--. 1 root root 1618 May 7 2020 php.conf -rw-r--r--. 1 root root 400 Nov 12 2021 README -rw-r--r--. 1 root root 481 Nov 12 2021 ssl.conf -rw-r--r--. 1 root root 1252 Nov 12 2021 userdir.conf -rw-r--r--. 1 root root 574 Nov 12 2021 welcome.conf
5. Select HTTPS support option, for example, supporting HTTPS with HTTP connections autoforwarded to HTTPS. This requires to configure 2 virtual hosts, one for HTTP and one for HTTPS. Add the "Redirect" directive in the HTTP virtual host to forward connections to the HTTPS virtual host.
6. Update ssl.conf file based the HTTPS support option. If it does not exist, add it.
herong$ sudo vi /etc/httpd/conf.d/ssl.conf Listen 443 NameVirtualHost *:80 <VirtualHost *:80> ServerName www.herongyang.com:80 Redirect permanent / https://www.herongyang.com/ </VirtualHost> <VirtualHost www.herongyang.com:443> DocumentRoot /var/www/html ServerName www.herongyang.com:443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/herongyang-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/herongyang-key.pem SSLCertificateChainFile /etc/pki/tls/certs/ca-chain-cert.pem </VirtualHost>
6. Install mod_ssl package.
herong$ sudo dnf install mod_ssl Installed: mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
7. Restart the Apache HTTP Server. You need to enter the pass phrase that protects your server private key. If this is a problem, you can remove the password protection from the private key file.
herong$ sudo apachectl restart Enter private key pass phrase: ********
8. Open firewall for 443/tcp connections.
herong$ sudo firewall-cmd --zone=public --add-service=https herong$ sudo firewall-cmd --runtime-to-permanent
That's it. Users can now access http://www.herongyang.com, get redirected to https://www.herongyang.com and enjoy secure connections.
Table of Contents
►Running Apache HTTP Server (httpd) on Linux Systems
What Is Apache HTTP Server "httpd"
Install Apache HTTP Server "httpd"
Enable Remote Access to "httpd" Service
"apachectl status/start/stop" Commands
Verify Apache HTTP Server "httpd" Environment
Requirements for Supporting HTTPS on Apache
Web Server Certificate and Required Fields
►Apache Configuration for HTTPS Protocol
Common Issues with Apache HTTPS Support
Listen to Non-Standard Ports with Apache
Running Apache Tomcat on Linux Systems
Running PHP Scripts on Linux Systems
Running MySQL Database Server on Linux Systems
Running Python Scripts on Linux Systems
Conda - Environment and Package Manager