Configuration of Apache v2

This page contains two sections: "Basic configuration" and "Configuration regarding SSL (https)".

Basic configuration

A note about DNS:You must have a DNS provider. In most cases your webhotel will automatically take care of your DNS settings. If you are lucky, they will provide you with an interface that lets you setup and change your DNS as you see fit. But in most cases you are completely dependend on your webhotel to do it for you. That is why I use a Danish DNS provider called gratisDNS.dk (gratis = free). I can login to their website and do whatever I want with my domains - this is a great advantage if you like to play around with a lot of domains and subdomains.

What is DNS?

Default values and ordinary virtual hosts are configurated in /usr/local/etc/apache/httpd.conf. I initially changed these three values:

ServerAdmin your_email@address.tld
DocumentRoot "/usr/local/www"
<Directory "/usr/local/www">

At the bottom of the file you'll find an example of how to create a virtual host. Make a copy of those lines and paste them below the example. Make sure to uncomment the new lines and then change the values to suit your needs. All values applied in a virtual host, will apply only for that host:

<VirtualHost *:80>
   ServerAdmin webmaster@domain.tld
   DocumentRoot /usr/local/www/domain.tld
   ServerName www.domain.tld
   ErrorLog /usr/local/www/logs/www.domain.tld-error_log
   CustomLog /usr/local/www/logs/www.domain.tld-access_log common
</VirtualHost>

This will tell Apache to look in /usr/local/www/domain.tld/ for the homepage instead of the default /usr/local/www/data-dist. Also note ErrorLog and CustomLog - this is where error and access logs is written.

You can add as many virtual hosts as you like. Just enclose each host between a <VirtualHost *:80> and </VirtualHost>

Note the wildcard (*) in the above, which means that this virtual host is used when no other applies to the domain requested. For example, the below will take affect only if the visitor requested www.example.tld:

<VirtualHost www.example.tld:80>
   ServerAdmin webmaster@example.tld
   DocumentRoot /usr/local/www/example.tld
   ServerName www.example.tld
   ErrorLog /usr/local/www/logs/www.example.tld-error_log
   CustomLog /usr/local/www/logs/www.example.tld-access_log common
</VirtualHost>

You can also create subdomains:

<VirtualHost mysub.example.tld:80>
   ServerAdmin webmaster@example.tld
   DocumentRoot /usr/local/www/mysub.example.tld
   ServerName mysub.example.tld
   ErrorLog /usr/local/www/logs/mysub.example.tld-error_log
   CustomLog /usr/local/www/logs/mysub.example.tld-access_log common
</VirtualHost>

Unless the main domain is specified in DNS with a wildcard, you must create an A record in DNS. If you want to received email for the subdomain, you must also create an MX record pointing the subdomain to your mail server.

Don't forget to create all the directories referenced in the virtual host (just the directories, e.g. you dont need to create the log files in advance, Apache will create them the first time they are needed.

If you want to prevent directory listings in folders not containing an index file, add this to the virtual host:

<Directory /usr/local/www/domain.tld>
Options -Indexes
</Directory>

You must stop and start Apache every time you make changes in httpd.conf.

apachectl stop
apachectl start

... or

apachectl restart

Configuration regarding SSL (https)

The official Apache documentation will tell you that SSL does not work with name-based virtual hosts.:

Quote from httpd.apache.org/docs/2.0/ssl/ssl_faq.html
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

I think that statement is a bit extreme, because actually it does work - you just can't use different certificate files for each virtual host. But that limitation is soon to be overcome. See wiki.cacert.org/wiki/VhostTaskForce.

Generate a cacert signed certificate

The following demonstrates how to get a cacert signed certificate. I used a handy script available from wiki.cacert.org/wiki/VhostTaskForce.

Assuming you have placed the script in your root folder...
cd /root
chmod +x csr.sh

Then run the script:

./csr.sh
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): myserver
FQDN/CommonName (ie. www.example.com) : myserver.com
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:myserver.com
SubjectAltName: DNS:myotherserver.com
SubjectAltName: DNS:subdomain.myserver.com
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
...........................+++
...........+++
writing new private key to '/root/myserver_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like myserver_server.pem

-----BEGIN CERTIFICATE REQUEST-----
MIICpDCCAYwCAQAwFjEUMBIGA1UEAxMLbmVyZGdpcmwuZGswggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDXGD0ZWza1xVqrgwBbUfy7QXRTV+2QkBJgLP7C
v27nos9xO3srET7zPZs8DlhK+OEN04OhvMSEzz5EDrwVBj99YF+ykIkH7bKEWSxI
NT29lCzUijM9p9BTnnFvQdD2qp+hbhvTjPZnkoiQ4sYY2EWZ4d1F37G+QDqYIQaD
MIfJZEtKedl/9MOvQz3BlkIKX6lxQYmH9PIkekjx+iqHBdyzupJmU8TRNqfjVabv
Jvypmx5Vn0M24OJeLTLIux/loQVNhfMK+I9Y8/inwVuQVMXPac0gfxNV7nUncdhq
lXtQRJlZN3epX+Zm1xJJNPDu9jrSEJouJ/hcA8JexyVLtp+RAgMBAAGgSTBHBgkq
hkiG9w0BCQ4xOjA4MDYGA1UdEQQvMC2CC25lcmRnaXJsLmRrggtkZXJyaWNoZS5k
a4IRZmlsZXMuZGVycmljaGUuZGswDQYJKoZIhvcNAQEEBQADggEBAGJWp91ow9L3
Dhp3B16BUejqBdt1f6LgtXoNJnNFBK6oBnEAZThoFnqFK19xv40Pz+A7JJG0NiI5
OaVs7MHzi5wm/i07UBNI59CCfdyxZXdZ0BGXng4h25fnu65CL00aQiyhghxQ2Xme
n3O08kasTz/vIOBteClzTSbx2b/C/jCrg7wfSwbQjr8gDC8Xm+Byj7QNV2FqNylv
no/2Qiwl0hwYqi1TWMkizmA0qHKNBSTCF+ELCxjWnd3XfrTCCaBgKMLIiYFzx7pN
1VtWKZEtv0hF3Dw//oLp2q/oN67NKJVHVxkuUUwfKgLojqz78k0gK6seMXaYRCC+
G2YBHvzdvDU=
-----END CERTIFICATE REQUEST-----

The Certificate request is also available in /root/myserver_csr.pem
The Private Key is stored in /root/myserver_privatekey.pem

The next thing to do, is to verify any domain you want to use with SSL.

To verify a domain, you must first tell cacert about it. You will then be presented with 5 different email addresses, e.g. postmaster@domain.tld, webmaster@domain.tld and so on. So naturally it is important that you have one of those addresses configured and ready to receive mail. When you have selected an email address, you will receive a confirmation email with a link. Clicking this link will verify to cacert, that you are in fact the owner of the specified domain, and you can now get a server certificate. Here's how it happens:

Go to www.cacert.org and create an account by clicking the "Join" link, unless you already have one. If you create a new account, make sure you can remember the password, since it is NOT included in the welcome email from cacert.

Login (click "Normal login") and select "Domains" -> "Add". Add your domain and confirm it by clicking the link in the email you have received. Do this for all domains you wish to use with SSL.

Click "Server Certificates" -> "New" and paste the certificate request generated with the crt.sh script into the text field. Remember to include the first and last lines:

-----BEGIN CERTIFICATE REQUEST-----

and

-----END CERTIFICATE REQUEST-----

If everything went okay, you will be asked to confirm the information. Click the submit button, and cacert will hand you your server certificate. Copy the whole thing into a file called myserver_server.pem (replace myserver with the "Short Hostname" you gave when generating the private key). Then copy the *.pem files to a location of your choice (they are usually kept somewhere in the /usr/local/etc/apache2/ directory):

mkdir /usr/local/etc/apache2/ssl
cd /usr/local/etc/apache2/ssl
cp /root/myserver_server.pem .
cp /root/myserver_privatekey.pem .

The certificate is valid for 6 months. When it's about to expire, you will receive an email from cacert.org. To renew it you simply login to your cacert.org account, click 'Server Certificates' -> 'View' and press the 'Renew' button. Copy the new certificate into myserver_server.pem and restart Apache.

Configuring Apache

Open up your httpd.conf and locate this line:

NameVirtualHost *

Add port 80 like this:

NameVirtualHost *:80

Save an close httpd.conf.

In Apache2, the SSL configuration is in a separate file: /usr/local/etc/apache2/ssl.conf. Open it and locate this line:

<VirtualHost _default_:443>

Insert this line directly above it, like this:

NameVirtualHost *:443

<VirtualHost _default_:443>

Configure anything between <VirtualHost _default_:443> and </VirtualHost> to reflect the settings you want for your SSL enabled host.

If you don't need multiple name-based virtual hosts, you are all done... Just stop and start Apache:

apachectl stop
apachectl startssl

If you want more than one name-based host with SSL:

Locate this line again...

<VirtualHost _default_:443>

... and correct it to:

<VirtualHost *:443>

Insert any SSL enabled name-based virtual hosts directly above it, e.g.:

<VirtualHost *:443>
  ServerAdmin webmaster@domain.tld
  DocumentRoot /usr/local/www/domain.tld
  ServerName www.domain.tld
  ServerAlias domain.tld
  ErrorLog /usr/local/www/logs/www.domain.tld-sslerror.log
  CustomLog /usr/local/www/logs/www.domain.tld-sslaccess.log common
  SSLEngine on
  SSLCertificateFile /usr/local/etc/apache2/ssl/myserver_server.pem
  SSLCertificateKeyFile /usr/local/etc/apache2/ssl/myserver_privatekey.pem
</VirtualHost>

..and after this you will of cause need to restart Apache again:

apachectl stop
apachectl startssl