Posts Tagged ‘lt domain’

How to setup Apache HTTP and HTTPS virtual hosts

Virtual hosting is a way of hosting several servers on a single machine. This technique is widely used in shared web hosting, because it greatly reduces hosting costs, since multiple customers use one server.

There are three types of virtual hosting:

  • Name-based – when the virtual hosts is determined by its domain. A problem with this approach is that it is completely dependent on the DNS.
  • IP-based – when each site is differentiated via his IP. A natural complication is that this requires a different IP for each site.
  • Port-based – when each site is described with the same domain, but different port. Naturally, the problem that users don’t generally use ports arises. Additionally, some firewalls block uncommon ports.

Using Apache, we will setup two name-based virtual hosts – an HTTP one and an HTTPS one. Both will work on the standard ports 80 for HTTP and 443 for HTTPS. Naturally we will see how to set port-based hosts.

Note: This tutorial assumes standard file places and settings for Apache on CentOS.

Note: The goal of this tutorial is not to provide extensive knowledge on configuring virtual hosts, but to provide a general-purpose working configuration. For more find-tuned configurations refer to the Apache documentation on virtual hosts.

We assume that <domain> is the domain for our virtual host. In the httpd/conf.d directory (usually /etc/httpd/conf.d) create a file called <domain>.conf

Note: It is not necessary to call your file <domain>.conf, but it’s a sort of a convention and makes editing hosts easier. The file for the HTTP virtual host should contain:

# <domain> HTTP Virtual Host
<VirtualHost *:80>
    # General
    ServerAdmin <administrator_e_mail>
    DocumentRoot /var/www/html/<domain>
    ServerName www.<domain>
    ServerAlias <domain>
 
    # Logging
    ErrorLog logs/<domain>-error_log
    CustomLog logs/<domain>-access_log common
</VirtualHost>

<administrator_e_mail> is the e-mail of the site administrator. After you set this file restart the HTTP Server daemon:

service httpd restart

To setup an HTTPS virtual host, again create the <domain>.conf file in the /httpd/conf.d. Again we assume <domain> is the domain-name:

# <domain> HTTPS Virtual Host
<VirtualHost *:443>
    # General
    ServerAdmin <administrator_e_mail>
    DocumentRoot /var/www/html/<domain>
    ServerName www.<domain>
    ServerAlias <domain>
 
    # Logging
    ErrorLog logs/<domain>-ssl_error_log
    TransferLog logs/<domain>-ssl_access_log
    CustomLog logs/<domain>-ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    LogLevel warn
 
    # SSL Engine
    SSLEngine on
 
    # SSL Protocol
    SSLProtocol all –SSLv2
 
    # SSL Cipher Suite
    SSLCipherSuite LL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 
    # Server Certificate
    SSLCertificateFile <path_to_certificate>
 
    # Server Private Key
    SSLCertificateKeyFile <path_to_private_key>
 
    # SSL Engine Options
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
 
    # SSL Protocol Adjusments
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown owngrade-1.0 force-response-1.0
</VirtualHost>

Of course, after setting this, restart the HTTP daemon:

service httpd restart

It is easily noticeable, that you can setup port-based virtual hosts quite easy, by using the same domain, but different ports in the .conf file.

Naturally this tutorial is not exhaustive, as such tutorial will be pretty much equal to documentation (which you can find here).

VN:F [1.9.18_1163]
Rating: 7.0/10 (2 votes cast)

Creating and signing certification requests using OpenSSL

In our previous tutorial about creating your own Certificate Authority, we introduced OpenSSL – an open source commercial-grade toolkit, which implements SSL and TLS (Secure Sockets Layer and Transport Layer Security) and provides a general purpose cryptography library. Naturally we continue with creation of certification requests (also called Certificate Signing Request).

Note: In this tutorial (as well as in the previous one) we assume CentOS is the OS of choice.

To create a certificate request we navigate again to /etc/pki/CA:

cd /etc/pki/CA

Now let’s create the certification request. We’ll request a certificate, which will last one year:

openssl req -config openssl.cnf -new -nodes -keyout private/<domain>.key -out <domain>.csr -days 365

Generating a 2048 bit RSA private key
..............................+++
.................................+++
writing new private key to 'private/<domain>.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<url>
Email Address []:<email>
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This creates two files, <domain>.key, which is the private key and <domain>.csr, which is the Certificate Signing Request. Restrict the rights to the private key so it readable only by root and the user that will use it:

chown root:globus private/<domain>.key

chmod 0440 private/<domain>.key

So now that we have created the certification request it is time to sign it. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Sign the certificate using this command:

openssl ca -config openssl.cnf -policy policy_anything -out certs/<domain>.crt -infiles <domain>.csr

Using configuration from openssl.cnf
Enter pass phrase for ./private/ca.key:<ca_password>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 15 18:52:08 2011 GMT
            Not After : Nov 14 18:52:08 2012 GMT
… CERTIFICATE INFORMATION …
Certificate is to be certified until Nov 14 18:52:08 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After that, you need to remove the certificate request:

rm -f <domain>.csr

After the whole procedure two files are created. <domain>.crt – this is a domain specific certificate for the request. It is put in the certs directory. <certificate_number>.pem is the second file. It is put in the newcerts folder. This is a ready to use X.509 file which contains the information from <domain>.key and from <domain>.crt.

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)