mod_ssl (Apache SSL Module)
mod_ssl
is an Apache module that provides SSL (Secure Sockets Layer) and TLS (Transport Layer Security) support to the Apache HTTP Server, enabling secure communication over HTTPS.
Installing mod_ssl
On most Linux distributions, mod_ssl
can be installed using the package manager.
For RHEL/CentOS:
sudo yum install mod_ssl
For Debian/Ubuntu:
sudo apt-get install libapache2-mod-ssl
After installation, the module should be enabled automatically. If not, you can enable it manually.
For Debian/Ubuntu:
sudo a2enmod ssl
sudo systemctl restart apache2
Configuring mod_ssl
The configuration for mod_ssl
is typically found in the /etc/httpd/conf.d/ssl.conf
file for RHEL/CentOS or /etc/apache2/sites-available/default-ssl.conf
for Debian/Ubuntu.
Key Directives in SSL Configuration
1. LoadModule Ensure the SSL module is loaded:
LoadModule ssl_module modules/mod_ssl.so
2. Listen Specify the port for HTTPS traffic:
Listen 443
3. SSL Engine Enable SSL for the server:
SSLEngine on
4. SSLCertificateFile Specify the path to the server's SSL certificate:
SSLCertificateFile /etc/pki/tls/certs/server.crt
5. SSLCertificateKeyFile Specify the path to the server's private key:
SSLCertificateKeyFile /etc/pki/tls/private/server.key
6. SSLCertificateChainFile If using an intermediate certificate, specify its path:
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
7. SSLCACertificateFile Specify the path to the CA certificate if client authentication is required:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Example SSL Virtual Host Configuration
<VirtualHost _default_:443>
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/html"
ServerName www.example.com:443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Enabling and Testing SSL Configuration
Step 1: Enable the SSL Virtual Host For Debian/Ubuntu:
sudo a2ensite default-ssl
sudo systemctl reload apache2
For RHEL/CentOS, ensure that the ssl.conf
file in /etc/httpd/conf.d/
is properly configured and included in the main configuration.
Step 2: Restart Apache
sudo systemctl restart httpd # For RHEL/CentOS
sudo systemctl restart apache2 # For Debian/Ubuntu
Step 3: Verify the Configuration You can verify your SSL configuration using various tools:
OpenSSL Command Line:
openssl s_client -connect www.example.com:443
Online SSL Test Services: Use tools like SSL Labs' SSL Test to analyze your SSL configuration.
Security Enhancements
1. Enforce Strong Protocols Disable older protocols like SSLv2 and SSLv3, and only allow strong protocols like TLSv1.2 and TLSv1.3:
SSLProtocol all -SSLv2 -SSLv3
2. Use Strong Ciphers Specify strong ciphers to prevent weak encryption:
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
3. Enable HSTS HTTP Strict Transport Security (HSTS) forces clients to only interact with the server over HTTPS:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
4. OCSP Stapling OCSP stapling improves the performance of certificate status verification:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"
Conclusion
mod_ssl
is a crucial module for enabling secure HTTPS communication on the Apache HTTP Server. By properly configuring httpd.conf
and ssl.conf
, you can ensure that your web server handles SSL/TLS traffic efficiently and securely. This includes loading the required modules, setting up the SSL virtual hosts, and applying security enhancements like strong protocols and ciphers, HSTS, and OCSP stapling.
Last updated