Enable the HTTPS protocol with Apache 2 on Debian
This howto ease the activation of HTTPS with Apache 2.
This howto is tested on :
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
- Debian 7.0 Wheezy
Prerequisites
This howto needs :
- a Apache 2 HTTP server, as described by Install Apache 2 on Debian.
This howto recommands :
Parameters
Provide the HTTPS connection network interface name :
SSL_NET="eth0"
Installation
Detect the IP address of the network interface (use it later to create virtual hosts) :
SSL_IP="$(command ifconfig "${SSL_NET}" \
| command grep 'inet ' \
| command sed -e 's/^.*inet [^:]*:\([^ ]*\) .*$/\1/')"
Setup the server to listen on port 443 :
if [ -z "$(command grep 'Listen.*443' '/etc/apache2/ports.conf')" ]; then command echo "# Listen on the HTTPS port if the needed module is available. <IfModule mod_ssl.c> Listen 443 </IfModule>" >> '/etc/apache2/ports.conf' fi
Enable the VirtualHost naming for the network interface :
if [ -z "$(command grep "NameVirtualHost.*${SSL_IP}:443" '/etc/apache2/ports.conf')" ]; then command sed -i -e "/Listen[\t ]*443/a\\ NameVirtualHost ${SSL_IP}:443" '/etc/apache2/ports.conf' fi
Enable the SSL module :
command a2enmod ssl
Reload the server configuration :
/etc/init.d/apache2 force-reload
Usage
Any HTTPS host needs the creation of a valid SSL certificate for its domain name, as described by Create a SSL / TLS certificate on Debian.
Create a HTTPS virtual host with the --ssl option having for argument the name of the choosen SSL certificate (generaly, the domain name of the web site) :
# command a2tools --ssl='www.domain.com' 'www.domain.com' '/opt/www.domain.com'
If the choosen certificate is a wildcard valid for all sub-domains, use:
# command a2tools --ssl='*.domain.com' 'www.domain.com" '/opt/www.domain.com'
A missing functionnality from Internet Explorer 6 to 8 on Windows XP limits to one SSL certificate by IP address. To host many sub-domains on a same server, the use of wildcard certificates (ie. "*.domain.com") is recommanded.
To host several domains on one server without errors on Internet Explorer ,use the option --bind-ip to specify the IP address linked to the choosen SSL certificate. If you own a OVH server, assign a failover IP to the server.