Monday, 13 April 2015

HTTPS Secure Web Server (httpd) in RHEL7/CentOS7


In this tutorial, we create a self-signed certificate and configure a secure (https) web site in Apache.

Consider the following scenario:

HTTP Server IP Address: 192.168.122.3
                      Host Name: server2.mycompany.com

Server Configuration:
1)  Install httpd
[shabbir@server2 ~]$ sudo yum -y install httpd httpd-manual mod_ssl crypto-utils


2) Edit the file '/etc/httpd/conf/httpd.conf'
[shabbir@server2 ~]$ sudoedit /etc/httpd/conf/httpd.conf

             #Edit the following line.
                  ServerName server2.mycompany.com


3) Create self-signed SSL certificate.
[shabbir@server2 ~]$ sudo genkey server2.mycompany.com

the key is stored in /etc/pki/tls/private/server2.mycompany.com.key
the certificate is stored in /etc/pki/tls/certs/server2.mycompany.com.crt

When asked, whether to send the Certificate Signing Request (CSR) to a Certificate Authority (CA), select NO.     

When asked whether to encrypt private key, select NO.


4) Edit the file '/etc/httpd/conf.d/ssl.conf'. Edit the following lines.
[shabbir@server2 ~]$ sudoedit /etc/httpd/conf.d/ssl.conf

#In the line <VirtualHost _default_:443> , replace _default_ with *
<VirtualHost *:443>

#Edit this line. 
          ServerName server2.mycompany.com  

#Edit this line
          DocumentRoot "/var/securesite"

#Edit this line
          SSLServerCertificateFile /etc/pki/tls/certs/server2.mycompany.com.crt

#Edit this line
          SSLCertificateKeyFile /etc/pki/tls/private/server2.mycompany.com.key

</Virtual Host>

<Directory "/var/securesite">

          Require all granted 
</Directory>           



4) Make directory for virtual host

[shabbir@server2 ~]$ sudo mkdir -p /var/securesite
[shabbir@server2 ~]$ sudo chcon -R -t httpd_sys_content_t /var/securesite

5) Create a file '/var/securesite/index.html'
[shabbir@server2 ~]$ sudoedit /var/securesite/index.html

             <html>
             <body>
              <h1> Hello World  </h1>
              </body>
           </html>


6) Check config file syntax errors
[shabbir@server2 ~]$ sudo httpd -t
[shabbir@server2 ~]$ sudo httpd -D DUMP_VHOSTS


7) Open HTTPS (Port 443) in firewall
[shabbir@server2 ~]$ sudo firewall-cmd --zone=public --add-service=https --permanent
[shabbir@server2 ~]$ sudo firewall-cmd --reload

8)  Start httpd
[shabbir@server2 ~]$ sudo systemctl start httpd

9)  Enable on boot
[shabbir@server2 ~]$ sudo systemctl enable httpd


Client Configuration:

1)  Make entry in '/etc/hosts' if DNS Server is not configured
[shabbir@meru ~]$ sudoedit /etc/hosts

              192.168.122.3        server2.mycompany.com

2) Browse web site in a browser 
  https://server2.mycompany.com


No comments:

Post a Comment