Rhyous

November 6, 2009

Installing an Apache + SSL on FreeBSD using the ports tree

Filed under: FreeBSD — J. Abram barneck @ 9:46 am
Tags: , ,

It couldn’t be easier to install Apache + SSL on FreeBSD. Ok, yes it could be easier, you could type one command that like: install apache with ssl and have it do everything for you.

But anyway, it is easy non-the-less. Let me walk you through it.

  1. First install FreeBSD. Instructions for installing FreeBSD is contained in this article.
    How I install FreeBSD?
  2. Second update FreeBSD and install the ports tree. Instructions for this are in this article.
    What are the first commands I run after installing FreeBSD?
  3. Install the latest version of Apache, which is Apache 2.2 as of writing this.

    #
    #
    cd /usr/ports/www/apache22
    make BATCH=yes install

    This will download the Apache 2.2 source and compile and install it. A few other dependencies will be installed as well.

    Apache will not start automatically which is fine because we are not ready to start it yet.

  4. Configure Apache to automatically start when the FreeBSD system boots up. This is done using the /etc/rc.conf file.

    #
    #
    echo # Apache 2.2 >> /etc/rc.conf
    echo 'apache2_enable="YES" >> /etc/rc.conf

  5. In order for Apache to use SSL, you must create a certificate. Now you may or may not know how to create one. I have made it easy for you by doing everything in a shell script. I have used SHA-256, because in this day an age, you need higher security than MD5 or SHA1.

    makesha256key.sh

    #!/bin/sh
    mkdir -p /root/mycert
    cd /root/mycert
    
    mkdir -p /usr/local/etc/apache22/ssl.key
    mkdir -p /usr/local/etc/apache22/ssl.crt
    chmod 0400 /usr/local/etc/apache22/ssl.key
    chmod 0400 /usr/local/etc/apache22/ssl.crt
    
    openssl genrsa -des3 -out $1.key 1024
    openssl req -new -x509 -nodes -sha256 -days 365 -key $1.key -out $1.crt
    
    cp $1.key $1.key.orig
    openssl rsa -in $1.key.orig -out $1.key
    
    cp $1.key /usr/local/etc/apache22/ssl.key/
    cp $1.crt /usr/local/etc/apache22/ssl.crt/
    chmod 0400 /usr/local/etc/apache22/ssl.key/$1.key
    chmod 0400 /usr/local/etc/apache22/ssl.crt/$1.crt
    

    This is NOT a fully functional shell script that shows you the command line options and everything. It is really just a list of commands to make this easier for you. Copy this to a shell script and run it. It takes one parameter, the cert name and you should call it like this:

    ./makesha256key.sh certname

    IMPORTANT: The commands in the script will prompt you for a Certificate password, and your Certification information. The only thing you need to make certain of is that when prompted for the "Common Name" you use the URL. For example, if your web site is http://www.rhyous.com, then http://www.rhyous.com is your Common Name.

    Or you can run the commands from the shell script manually one at a time if you want (replacing $1 with your desired certificate name).

    Note: In this script, the certificate will be a self-signed certificate, but you can get a signed certificate free here: http://cert.startcom.org

  6. Now configure Apache to read the httpd-ssl.conf file when it starts.

    Open the /usr/local/etc/apache22/httpd.conf using the easy editor or ee.

    # ee /usr/local/etc/apache22/httpd.conf

    Near the end of the file, remove the comment symbol, the # sign, from the following line:

    Include etc/apache22/extra/httpd-ssl.conf

    Note: While you are in this file you may want to remove the comment from the line for enabling Virtual Hosts too if you are going to have multiple URLs hosted at this page.

  7. Configure the httpd-ssl.conf.

    # ee /usr/local/etc/apache22/extra/httpd-ssl.conf

    I only change the two lines to point to the correct certificate. Here is an sample httpd-ssl.conf without the comments.

    Listen 443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
    SSLMutex  "file:/var/run/ssl_mutex"
    <VirtualHost _default_:443>
      DocumentRoot "/usr/local/www/apache22/data"
      ServerName www.example.com:443
      ServerAdmin you@example.com
      ErrorLog "/var/log/httpd-error.log"
      TransferLog "/var/log/httpd-access.log"
    
      SSLEngine on
    
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    
      SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
    
      SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
    
      <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory "/usr/local/www/apache22/cgi-bin">
        SSLOptions +StdEnvVars
      </Directory>
    
      BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
      CustomLog "/var/log/httpd-ssl_request.log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>
    
  8. Now start or restart Apache.

    # /usr/local/etc/rc.d/apache22 start

Now just open a browser and connect to your machine. You can connect using name, fqdn, or IP and see which work.

http://servername
http://www.YourDomain.com
http://192.168.0.100

You can also try to connect with SSL.

https://servername
https://www.YourDomain.com
https://192.168.0.100

It is now very common to install PHP and MySQL. I have separate documents for this:

How to install PHP5 and PHP5 Extensions on FreeBSD?

How to install MySQL on FreeBSD 7.2 or on Red Hat 5.4?


Copyright ® Rhyous.com - Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.

Advertisements

12 Comments »

  1. […] Then install Apache + SSL. Installing an Apache + SSL on FreeBSD using the ports tree […]

    Pingback by How to install Bugzilla on a FreeBSD 7.2 with Apache + SSL and MySQL? « Rhyous's 127.0.0.1 or ::1 — November 6, 2009 @ 2:06 pm | Reply

  2. […] Then install Apache + SSL. Installing an Apache + SSL on FreeBSD using the ports tree […]

    Pingback by How to install dotProject 2.1.2 on FreeBSD 7.2 with Apache 2.2, PHP5, and MySQL 5.1 Server? « Rhyous's 127.0.0.1 or ::1 — November 25, 2009 @ 8:56 am | Reply

  3. You have tested it and writing form your personal experience or you find some information online?

    Comment by Guests — March 26, 2010 @ 10:58 pm | Reply

    • Yes, I have tested it and it is in production at my work for an internal site for my support team. We are running dotProject and a few other sites off it. I’ll be honest this was the first time I went with SHA-256 over MD5, but it is working well.

      Comment by rhyous — April 10, 2010 @ 7:14 am | Reply

  4. It is useful to try everything in practice anyway and I like that here it’s always possible to find something new. 🙂

    Comment by steffen — April 3, 2010 @ 2:06 pm | Reply

  5. Excelent post, cheers!! o/

    Comment by Rafael Lopes — January 20, 2012 @ 8:01 pm | Reply

  6. By the way, excelent website logo as well. Hail the sword!!!

    Comment by Rafael Lopes — January 20, 2012 @ 8:02 pm | Reply

    • Thanks!

      Comment by Rhyous — January 21, 2012 @ 2:41 pm | Reply

    • I just realized my facicon.ico wasn’t there. It is a sword too. It has been missing for two years! Now it is back.

      Comment by Rhyous — January 21, 2012 @ 11:58 pm | Reply

  7. Thanks mate!!!

    Comment by kamunjaka — February 23, 2012 @ 2:10 pm | Reply

  8. Hi,

    I would like to add, that the point under “Common Errors” is actually just a “Warning”. Apache runs nevertheless, if you have right domain name pointing to the IP or not.

    Anyways, good article.

    Cheer,
    Samuli

    Comment by Smuli — April 6, 2012 @ 3:34 am | Reply

    • Thanks Samuli. You are right, in a lab with a fake FQDN, I often have to update my hosts file or else Apache won’t even start.

      Comment by Rhyous — April 6, 2012 @ 2:29 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.