This article was last reviewed for Debian 9 (Stretch).
Apache 2.4 configuration for TLS certificates (Debian, repository)
| Author: | Stefán Örvar Sigmundsson |
|---|---|
| Initial publication: | |
| Last updated: | |
| Written in: | English (United Kingdom) |
Apache HTTP Server implements the Transport Layer Security protocol in its mod_ssl module. This article will demonstrate how configure TLS on Apache 2.4 on Debian or its derivatives such as Ubuntu and Linux Mint. The server will be configured for the domain name example.org as a virtual host.
Configuration
The server must be restarted or reloaded for the configuration to take effect.
Multi-processing module
The multi-processing module (MPM) used by Apache will have to be instructed to listen to port 443. Most will want to listen to port 80 as well. The following demonstrates use of the event MPM configured in the mods-available/mpm_event.conf file:
<IfModule mpm_event_module>
…
Listen example.org:80
Listen example.org:443
…
</IfModule>Listen example.org:80- Instructs the MPM to listen to port 80 in relation to the specified domain name.
Listen example.org:443- Instructs the MPM to listen to port 443 in relation to the specified domain name.
TLS module
The mods-available/ssl.conf file configures the TLS module:
<IfModule ssl_module>
SSLCertificateFile /etc/ssl/example.org/certificate.crt
SSLCertificateKeyFile /etc/ssl/example.org/certificate.key
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
</IfModule>SSLCertificateFile /etc/ssl/example.org/certificate.crt- Locates the public key certificate.
SSLCertificateKeyFile /etc/ssl/example.org/certificate.key- Locates the private key of the public key certificate.
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)- Enables TLS session caching. Caching improves the performance of the server.
Virtual host
The following demonstrates a partial configuration for the example.org domain name:
<VirtualHost *:443>
…
ServerName https://example.org:443
SSLEngine on
…
</VirtualHost>ServerName https://example.org:443- Sets the server name (protocol, domain and port) for the virtual host.
SSLEngine on- Enables the TLS engine for the virtual host.
Rewrite module (optional)
Communicatin security can be maximised by forcing all HTTP communication to be conducted over TLS. The mods-available/rewrite.conf file configures the rewrite module:
<IfModule rewrite_module>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>RewriteEngine on- Enables the rewrite engine.
RewriteCond %{HTTPS} off- Disables rewrite when TLS is in use.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}- Defines the rewrite rule.