Monday, 13 April 2015

HTTPS Secure Web Server (httpd) in RHEL7/CentOS7

In this tutorial, we create a self-signed certificate and configure a secure (https) web site in Apache.

Consider the following scenario:

HTTP Server IP Address:
                      Host Name:

Server Configuration:
1)  Install httpd
[shabbir@server2 ~]$ sudo yum -y install httpd httpd-manual mod_ssl crypto-utils

2) Edit the file '/etc/httpd/conf/httpd.conf'
[shabbir@server2 ~]$ sudoedit /etc/httpd/conf/httpd.conf

             #Edit the following line.

3) Create self-signed SSL certificate.
[shabbir@server2 ~]$ sudo genkey

the key is stored in /etc/pki/tls/private/
the certificate is stored in /etc/pki/tls/certs/

When asked, whether to send the Certificate Signing Request (CSR) to a Certificate Authority (CA), select NO.     

When asked whether to encrypt private key, select NO.

4) Edit the file '/etc/httpd/conf.d/ssl.conf'. Edit the following lines.
[shabbir@server2 ~]$ sudoedit /etc/httpd/conf.d/ssl.conf

#In the line <VirtualHost _default_:443> , replace _default_ with *
<VirtualHost *:443>

#Edit this line. 

#Edit this line
          DocumentRoot "/var/securesite"

#Edit this line
          SSLServerCertificateFile /etc/pki/tls/certs/

#Edit this line
          SSLCertificateKeyFile /etc/pki/tls/private/

</Virtual Host>

<Directory "/var/securesite">

          Require all granted 

4) Make directory for virtual host

[shabbir@server2 ~]$ sudo mkdir -p /var/securesite
[shabbir@server2 ~]$ sudo chcon -R -t httpd_sys_content_t /var/securesite

5) Create a file '/var/securesite/index.html'
[shabbir@server2 ~]$ sudoedit /var/securesite/index.html

              <h1> Hello World  </h1>

6) Check config file syntax errors
[shabbir@server2 ~]$ sudo httpd -t
[shabbir@server2 ~]$ sudo httpd -D DUMP_VHOSTS

7) Open HTTPS (Port 443) in firewall
[shabbir@server2 ~]$ sudo firewall-cmd --zone=public --add-service=https --permanent
[shabbir@server2 ~]$ sudo firewall-cmd --reload

8)  Start httpd
[shabbir@server2 ~]$ sudo systemctl start httpd

9)  Enable on boot
[shabbir@server2 ~]$ sudo systemctl enable httpd

Client Configuration:

1)  Make entry in '/etc/hosts' if DNS Server is not configured
[shabbir@meru ~]$ sudoedit /etc/hosts


2) Browse web site in a browser

No comments:

Post a Comment