Securing Apache with SSL on Solaris 10
This assumes you installed Apache 1.3 or 2.2
Apache 1.3
cd /opt/csw/apache/conf/ssl.crt/
Apache 2.X
Note: This uses the blastwave openssl binary in /opt/csw/bin/openssl. This should have been installed when you installed apache.
# cd /opt/csw/apache2/etc
# mkdir ssl-keys
# cd ssl-keys
# openssl genrsa -out www.website.com.key 1024
# openssl req -new -key www.website.com.key -out www.website.com.csr
# openssl x509 -in www.website.com.csr -out www.website.com.crt -req -signkey www.website.com.key -days 365
Modify your /opt/csw/apache2/etc/extra/httpd-ssl.conf
DocumentRoot "/path/to/your/htdocs"
ServerName www.website.com:443
SSLCertificateFile /opt/csw/apache2/etc/ssl-keys/www.website.com.crt
SSLCertificateKeyFile /opt/csw/apache2/etc/ssl-keys/www.website.com.key
By default mod_ssl is not loaded in CSW's Apache. You need to comment out the
lines in your httpd.conf:
#<IfDefine SSL>
LoadModule ssl_module libexec/mod_ssl.so
#</IfDefine>
Also by default, httpd-ssl.conf is not enabled included in your main httpd.conf. Uncomment the line enabling it in your httpd.conf:
# Secure (SSL/TLS) connections
Include etc/extra/httpd-ssl.conf
Force the use of SSL for sites:
To force users to access the SSL enabled version of your site (in case they accidentally leave the "s" off the "https") add the following to your
#Force use of SSL
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Troubleshooting
If Apache doesn't start, check your Apache svc startup logs:
/var/svc/log/network-http:cswapache2.log
If Apache starts but is not working properly, check your Apache error logs:
/opt/csw/apache2/var/log/error_log
svcadm restart cswapache2 doesn't start apache
This could be because apache went into maintenance mode. Check the status by using svcs -x:
$ svcs -x
svc:/network/http:cswapache2 (Apache 2 HTTP server)
State: maintenance since Fri Nov 17 17:04:07 2006
Reason: Start method failed repeatedly, last exited with status 1.
See: http://sun.com/msg/SMF-8000-KS
See: httpd(8)
See: /var/svc/log/network-http:cswapache2.log
Impact: This service is not running.
The above output shows that apache could not start and went into maintenance mode. It also tells you where you can find logs (/var/svc/log/network-http:cswapache2.log).
Invalid command 'SSLPassPhraseDialog'
Check your /var/svc/log/network-http:cswapache2.log. If you see "Invalid command 'SSLPassPhraseDialog'", this means that mod_ssl is not enabled properly.
Syntax error on line 56 of /opt/csw/apache2/etc/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration
Make sure your directive is commented out in order to load the mod_ssl module.
Could not resolve address '255.255.255.255' -- check resolver configuration
[ Nov 20 14:38:12 Executing start method ("/opt/csw/lib/svc/method/svc-cswapache2 start") ]
Syntax error on line 74 of /opt/csw/apache2/etc/extra/httpd-ssl.conf:
Could not resolve address '255.255.255.255' -- check resolver configuration.
Line 74 was:
<VirtualHost _default_:443>
To get rid of this error, I changed it to:
<VirtualHost *:443>
References
-- JesseSuen - 16 Nov 2006
Log In
Guides Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
FantasyFootball
Guides Web
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.