HTTP is a non-secure protocol commonly used to communicate over the Web. The traffic is transferred in plain text form and can be captured and interpreted by a third-party attacker. Transport Layer Security and Secure Socket Layer protocols (TLS/SSL) can be used to secure the traffic between client and server. These protocols encapsulate normal traffic in an encrypted and secure wrapper. It also validates the identity of the client and server with SSL keys, certificates, and certification authorities.
When HTTP is combined with TLS or SSL, it is abbreviated as HTTPS or HTTP secure. Port 443
is used as a standard port for secured HTTP communication. Nearly all leading web servers provide inbuilt support for enabling HTTPS. Apache has a module called mod_ssl
that enables the use of HTTPS.
To set up your servers with SSL/TLS encrypted traffic, you will need an SSL certificate and a key pair that can be used to encrypt traffic. Generally, the certificate and keys are obtained from a trusted signing authority. They charge you some fees to verify your ownership of the web property and allocate the required signed certificates. You can also generate self-signed certificates for internal use. Few certification authorities provide a free SSL certificate. Recently, Mozilla has started a free and automated certificate authority named Let's Encrypt. At the time of writing, the service is in public beta and has started allocating certificates. Let's Encrypt offers a client that can be used to obtain certificates and set up automated renewal. You can also find various unofficial clients for Apache and Nginx servers.
In this recipe, we will learn how to create our own self-signed certificate and set up the Apache server to serve contents over a secure channel.
You will need access to a root account or an account with sudo
privileges. I assume that you have the Apache server preinstalled. You will also need OpenSSL installed.
Make sure your firewall, if any, allows traffic on port 443
. Check Chapter 2, Networking, Securing network with uncomplicated firewall recipe for more details on Uncomplicated Firewall.
Follow these steps to secure web traffic with HTTPS:
/etc/apache2
to hold the certificate and key:$ sudo mkdir /etc/apache2/ssl
$ cd /etc/apache2/ssl $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.crt
$ ls -l
example.com.conf
. After removing comments, it should look similar to the following:<VirtualHost *:80> ... </VirtualHost>
tag and paste it at the end of the file.80
to 443
.DocumentRoot
line. This will enable SSL and specify the path to the certificate and key:SSLEngine on SSLCertificateFile /etc/apache2/ssl/ssl.crt SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
example.com.conf
, and enable the mod_ssl
module on the Apache server:$ sudo a2enmod ssl
example.com
. If it's already enabled, it will return a message saying site example.com already enabled
:$ sudo a2ensite example.com.conf
$ sudo service apache2 reload
https://example.com
We have created a self-signed certificate to secure an HTTP communication. The key will be used to encrypt all communication with clients. Another thing to note is that we have defined a separate Virtual Host entry on port 443
. This Virtual Host will be used for all requests that are received over port 443
. At the same time, we have allowed non-secured HTTP communication for the same Virtual Host. To disable non-secure communication on port 80
, you can simply comment out the original Virtual Host configuration. Alternatively, you can separate both configurations into two files and enable or disable with the a2ensite
and a2dissite
commands.
Some of the parameters used for generating a key and certificate are as follows:
- nodes
specifies that we do not want to use a passphrase for a key.- days
this specifies the number of days the certificate is valid for. Our certificate is valid for 365 days, that is, a year.- newkey rsa:2048
this option is used to generate a certificate along with a private key. rsa:2048
specifies the 2048 bit long RSA private key.I have modified the existing Virtual Host entry to demonstrate the minimal configuration required to enable secure HTTP communication. You can always use the default secure Virtual Host configuration available under sites-available/default-ssl.conf
. This file provides some additional parameters with respective comments.
The certificate created in this recipe will not be trusted over the Internet but can be used for securing local or internal communication. For production use, it is advisable to get a certificate signed from an external, well known certification authority. This will avoid the initial errors in browsers.
To get a signed certificate from an external certification authority, you will need a CSR document.
The following are the steps to generate a CSR:
$ openssl genrsa -des3 -out server.key 2048
server.key
.$ openssl rsa -in server.key -out server.key.insecure $ mv server.key server.key.secure $ mv server.key.insecure server.key
$ openssl req -new -key server.key -out server.csr
server.csr
, and now you can submit this CSR for signing purposes.