Today I will talk about setting up HTTPS with Apache on a Debian system. HTTPS is used for secure connections between your web browser and the web server, minimizing the risk for hostile people to be able to
listen to your communications by using standard network sniffing techniques.
This may be useful, if some of your websites handles personal data, such as a webmail application for instance.
Activate the default HTTPS websiteAs root, issue the commands:
apt-get install ssl-cert
Now you should be able to access your HTTPS website through a https:// - like url. Your browser should warn you that the URL you are trying to access was not certified by a certification authority, which is just the case. You will have to manually accept the certificate in order to be able to browse the secured website.
The default Apache configuration only displays a
It works ! message, just like the default HTTP one. This is because the default HTTPS hierarchy is the same as HTTP. You will have to switch it to another location on the hard disk if you want to separate public and private data. To do this, edit the /etc/apache2/sites-available/default-ssl file, and change the value for the DocumentRoot option, as well as the corresponding Directory block header argument.
Virtual host configuration
If your server runs different websites with different host names (when using custom DNS alias from DynDNS for instance), you may want to generate different certificates for the different host names. For each of the different websites, you can generate a certificate file with the commands (as root):
mkdir -p /etc/apache2/ssl
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/filename.crt
You will be prompted to enter the virtual host name for the website, such as blog.ouasse.ath.cx. The generated file can be then used in a HTTPS website configuration file, such as like the following:
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
CustomLog /var/log/apache2/ssl_access.log combined
# Workaround for MSIE
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
Beware of setting the correct key filename you generated as argument for the SSLCertificateFile option. Finally, activate the HTTPS website with the commands:
Where filename is the name of the website configuration file.
HTTP to HTTPS redirection
You may require a full website or some website subdirectory to be exclusively accessed through HTTPS. A smart way for doing this is letting a normal HTTP website redirect accesses from itself to its HTTPS counterpart. This is done using the Redirect permanent option in Apache configuration files.
For instance, I have configured the admin subdirectory of this blog, when accessed via HTTP, to be redirected to HTTPS. This is done by editing the HTTP configuration file for this site, adding the option:
Redirect permanent /admin/ https://blog.ouasse.ath.cx/admin/
Once again, let Apache update its configuration with the command:
I have covered the most usual usages of secure web hosting on a Debian Apache server. I hope it will be useful to any home web administrator who has the need for secure HTTP services.