HTTPS setup

Today I will talk about setting up HTTPS with Apache on a Debian system. HTTPS is used for secure connections between your web browser and the web server, minimizing the risk for hostile people to be able to listen to your communications by using standard network sniffing techniques.

This may be useful, if some of your websites handles personal data, such as a webmail application for instance.

This article supposes you already set up a basic Apache web server, as described in this previous article.

Activate the default HTTPS website

As root, issue the commands: 
apt-get install ssl-cert
a2ensite default-ssl
a2enmod ssl
/etc/init.d/apache2 restart

Now you should be able to access your HTTPS website through a https:// - like url. Your browser should warn you that the URL you are trying to access was not certified by a certification authority, which is just the case. You will have to manually accept the certificate in order to be able to browse the secured website.

The default Apache configuration only displays a It works ! message, just like the default HTTP one. This is because the default HTTPS hierarchy is the same as HTTP. You will have to switch it to another location on the hard disk if you want to separate public and private data. To do this, edit the /etc/apache2/sites-available/default-ssl file, and change the value for the DocumentRoot option, as well as the corresponding Directory block header argument.

Virtual host configuration

If your server runs different websites with different host names (when using custom DNS alias from DynDNS for instance), you may want to generate different certificates for the different host names. For each of the different websites, you can generate a certificate file with the commands (as root):

mkdir -p /etc/apache2/ssl
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/filename.crt

You will be prompted to enter the virtual host name for the website, such as blog.ouasse.ath.cx. The generated file can be then used in a HTTPS website configuration file, such as like the following:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName blog.ouasse.ath.cx
        
        DocumentRoot /home/ouasse/www/dotclear

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/filename.crt

        # Workaround for MSIE
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

</VirtualHost>
</IfModule>

Beware of setting the correct key filename you generated as argument for the SSLCertificateFile option. Finally, activate the HTTPS website with the commands:

a2ensite filename
/etc/init.d/apache2 reload

Where filename is the name of the website configuration file.

HTTP to HTTPS redirection

You may require a full website or some website subdirectory to be exclusively accessed through HTTPS. A smart way for doing this is letting a normal HTTP website redirect accesses from itself to its HTTPS counterpart. This is done using the Redirect permanent option in Apache configuration files.

For instance, I have configured the admin subdirectory of this blog, when accessed via HTTP, to be redirected to HTTPS. This is done by editing the HTTP configuration file for this site, adding the option:

Redirect permanent /admin/ https://blog.ouasse.ath.cx/admin/

Once again, let Apache update its configuration with the command:

/etc/init.d/apache2 reload

Conclusion

I have covered the most usual usages of secure web hosting on a Debian Apache server. I hope it will be useful to any home web administrator who has the need for secure HTTP services.