mod_ssl (Apache SSL Module)
mod_ssl is an Apache module that provides SSL (Secure Sockets Layer) and TLS (Transport Layer Security) support to the Apache HTTP Server, enabling secure communication over HTTPS.
Installing mod_ssl
On most Linux distributions, mod_ssl can be installed using the package manager.
For RHEL/CentOS:
sudo yum install mod_sslFor Debian/Ubuntu:
sudo apt-get install libapache2-mod-sslAfter installation, the module should be enabled automatically. If not, you can enable it manually.
For Debian/Ubuntu:
sudo a2enmod ssl
sudo systemctl restart apache2Configuring mod_ssl
The configuration for mod_ssl is typically found in the /etc/httpd/conf.d/ssl.conf file for RHEL/CentOS or /etc/apache2/sites-available/default-ssl.conf for Debian/Ubuntu.
Key Directives in SSL Configuration
1. LoadModule Ensure the SSL module is loaded:
LoadModule ssl_module modules/mod_ssl.so2. Listen Specify the port for HTTPS traffic:
Listen 4433. SSL Engine Enable SSL for the server:
SSLEngine on4. SSLCertificateFile Specify the path to the server's SSL certificate:
SSLCertificateFile /etc/pki/tls/certs/server.crt5. SSLCertificateKeyFile Specify the path to the server's private key:
SSLCertificateKeyFile /etc/pki/tls/private/server.key6. SSLCertificateChainFile If using an intermediate certificate, specify its path:
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt7. SSLCACertificateFile Specify the path to the CA certificate if client authentication is required:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crtExample SSL Virtual Host Configuration
<VirtualHost _default_:443>
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/html"
ServerName www.example.com:443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>Enabling and Testing SSL Configuration
Step 1: Enable the SSL Virtual Host For Debian/Ubuntu:
sudo a2ensite default-ssl
sudo systemctl reload apache2For RHEL/CentOS, ensure that the ssl.conf file in /etc/httpd/conf.d/ is properly configured and included in the main configuration.
Step 2: Restart Apache
sudo systemctl restart httpd # For RHEL/CentOS
sudo systemctl restart apache2 # For Debian/UbuntuStep 3: Verify the Configuration You can verify your SSL configuration using various tools:
OpenSSL Command Line:
openssl s_client -connect www.example.com:443Online SSL Test Services: Use tools like SSL Labs' SSL Test to analyze your SSL configuration.
Security Enhancements
1. Enforce Strong Protocols Disable older protocols like SSLv2 and SSLv3, and only allow strong protocols like TLSv1.2 and TLSv1.3:
SSLProtocol all -SSLv2 -SSLv32. Use Strong Ciphers Specify strong ciphers to prevent weak encryption:
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on3. Enable HSTS HTTP Strict Transport Security (HSTS) forces clients to only interact with the server over HTTPS:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"4. OCSP Stapling OCSP stapling improves the performance of certificate status verification:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"Conclusion
mod_ssl is a crucial module for enabling secure HTTPS communication on the Apache HTTP Server. By properly configuring httpd.conf and ssl.conf, you can ensure that your web server handles SSL/TLS traffic efficiently and securely. This includes loading the required modules, setting up the SSL virtual hosts, and applying security enhancements like strong protocols and ciphers, HSTS, and OCSP stapling.
Last updated