Apache
Virtual Host This is how you setup apache for Virual Hosts. example if you have more domain names and only one server. The serverAlias is used in case people don't put in the "www" before the URL.
<VirtualHost *:80>
DocumentRoot /home/{user}/public_html
ServerName www.{domainname}.com
ServerAlias {domainname}.com
</VirtualHost>
Virtual Host ProxyPass
This will pass any http request along. It helps when you want to pass a connection to another server, example apache -> tomcat:8080.
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ServerName www.{domainname}.com
ServerAlias {domainname}.com
</VirtualHost>
SSL Setup
I'm playing around with SSL setup for Apache. My overall goal would be to set up an SSL web address that would be only accessed with a single private key that would have to be imported into a browser and not handed off from the server.
1. Install SSL module for Apache on Fedora
> yum install mod_ssl
2. I create a folder for housing any newly created certs to be used by Apache.
> mkdir /etc/httpd/ssl
3. I generated a cert. A *.pem file contains both public and private key. This will ask you a bunch of questions too.
> openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key
Resources
http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
http://www.apachelounge.com/viewtopic.php?t=3571
https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-fedora-14
SSL Setup 2
I'm trying again...The first attempt failed because I didn't generate a CA.
# openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 Enter pass phrase for ca.key.pem: secretpassword Verifying - Enter pass phrase for ca.key.pem: secretpassword # chmod 400 /etc/pki/CA/private/ca.key.pem
Open your OpenSSL configuration file (/etc/pki/tls/openssl.cnf) and look for the [ usr_cert ] and [ v3_ca ] sections. Make sure they contain the following options:
[ usr_cert ] # These extensions are added when 'ca' signs a request. basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_ca ] # Extensions for a typical CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true keyUsage = cRLSign, keyCertSign
Now you can use the root key above to issue a root certificate (ca.cert.pem). In this example, the certificate is set to expire in ten years. As this is a CA certificate, use the v3_ca extension. You will be prompted for some responses, which you can fill with whatever you like. For convenience, defaults can be set in the openssl configuration file.
Important: The default digest is SHA-1. SHA-1 is considered insecure. Pass the -sha256 option to use a more secure digest.
openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
Enter pass phrase for ca.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:London Locality Name (eg, city) [Default City]:London Organization Name (eg, company) [Default Company Ltd]:Alice CA Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, your name or your server's hostname) []:Alice CA Email Address []:alice@example.com
chmod 444 /etc/pki/CA/certs/ca.cert.pem
Root key: ca.key.pem Root certificate: ca.cert.pem
Generate Signing Request???
openssl genrsa -out footballaz.key.pem 4096
Resources
https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/
