Apache 2.0 in Ubuntu

This post will deal with setting up a web server in Ubuntu using Apache 2.0. I will not be able to cover every scenario but I hope I can cover the most common ones. Default paths and so on are based on Ubuntu 7.10, Gutsy Gibbon.

Install Apache

sudo apt-get install apache2

Make sure it has been installed and is working properly by going to the server’s IP address using any web browser.

Custom Configurations

Since Apache allows you to include other files for configuration, it might be a good idea to create a file with all your custom configurations in it. Then you just have to save that file and use it whenever needed without messing around with the default configurations.

sudo mkdir /etc/apache2/customconfig/

sudo touch /etc/apache2/customconfig/server.conf

And then add the following line to /etc/apache/apache2.conf

Include /etc/apache2/customconfig/

And from then on all custom configurations will be loaded by Apache.

Give Apache a Server Name

Check that the configuration files have a server name or not.

grep -n ServerName /etc/apache2/apache2.conf

grep -n ServerName /etc/apache2/httpd.conf

grep -n ServerName /etc/apache2/ports.conf

Usually, if a server name has not been set, Apache will complain when you start it. So just add a server name to your config file. If you have created a custom config file, such as server.conf above, just add the following line

sudo vim /etc/apache2/customconfig/server.conf

If you haven’t created a custom config file, add the following line to the main config file

sudo vim /etc/apache2/apache2.conf

And add the line:

ServerName localhost

Now when you restart Apache, it will not complain that it doesn’t have a server name.

Listen on Ports

You need to make sure that Apache is listening on at least two ports: 80 (HTTP) and 443 (HTTPS). Your /etc/apache2/ports.conf file should look something like this:

Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>

Create Site

To create a site, you first have to decide where to store the files. I like to store them under my home directory, with read access to the user under which Apache runs, which is more likely than not www-data in Ubuntu.

mkdir /home/me/web/ /home/me/logs/

sudo chown -R www-data /home/me/logs/

chmod g+rwx /home/me/logs

VirtualHost Configuration

Since I may need to host more than one sites on the server, I want to use VirtualHost and its associated settings. I prefer to keep separate files for each virtual host.

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sitedomain

sudo vim /etc/apache2/sites-available/sitedomain

And then get to editing the file. After editing, my first virtual host config looks like this:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
</VirtualHost>

Enable New Site

After creating the config file for new web site, you need to enable it.

sudo a2ensite sitedomain

But to use it, you must also disable the default site

sudo a2dissite default

Next you have to reload configurations in Apache

sudo /etc/init.d/apache2 reload

Now when you navigate to the server, it will show your new site.

Install SSL

Make sure apache has SSL module available into it:

ls /etc/apache2/mods-available | grep ssl.conf

ls /etc/apache2/mods-available | grep ssl.load

Install OpenSSL and ssl-cert

sudo apt-get install openssl ssl-cert

Your Ubuntu installation may not have one critical piece of software: apache2-ssl-certificate. You may download it from Launchpad (apache2-ssl) and do the following steps (instructions courtesy of Apache2-SSL-Certificate for Ubuntu Feisty..How to install this missing script to get the SSL certificates up):

cd ~/

wget http://librarian.launchpad.net/7477840/apache2-ssl.tar.gz

tar xvzf apache2-ssl.tar.gz

sudo mv ssleay.cnf /usr/share/apache2/

sudo mv apache2-ssl-certificate /usr/sbin

sudo mkdir /etc/apache2/ssl

Now you may proceed with the next steps.

Configure SSL

First you have to generate an SSL certificate.

sudo apache2-ssl-certificate -days 365

It started asking a bunch of questions and here are sample answers:

Country name: US
State: New York
Locality: New York
Organization Name: My Organization
Organizational Unit Name: .
Server name: ssl.mysite.net
Email: myemail@mysite.net

To enable the SSL module in Apache, run the following

sudo a2enmod ssl

Site Configuration

Your virtual host config will change and be something like:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Now you may navigate your site without problems.

Configure SSL with OpenSSL

If you want to use OpenSSL to create and maintain your certificates, and also use them with Apache, read my guide titled Create a Certificate Authority and Certificates with OpenSSL. Once you have created server certificates, you have to make just a few changes in your virtual host config: location of the key and certificate files. For example, your config file might now look like

NameVirtualHost *:80
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
SSLEngine On
SSLCertificateFile /home/ca/certs/mydomain.com.cert.pem
SSLCertificateKeyFile /home/ca/private/mydomain.com.key.pem
SSLCACertificateFile /home/ca/certs/cacert.pem
</VirtualHost>

Redirect Traffic to SSL

And if you want to redirect all your port 80 traffic to the secure, SSL-enabled part of your web server, you first have to enable the Rewrite engine

sudo a2enmod rewrite

Then you have to enable it in your virtual host configuration and change it to

NameVirtualHost *:80
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
SSLEngine On
SSLCertificateFile /home/ca/certs/mydomain.com.cert.pem
SSLCertificateKeyFile /home/ca/private/mydomain.com.key.pem
SSLCACertificateFile /home/ca/certs/cacert.pem
</VirtualHost>

Now all traffic on regular port will be redirected to secure port.

Access Using Client Certificates

If you want only selected people to be able to browse your website, you can create certificates for clients and set Apache to only allow them access. To create client certificates, read my guide titled Create a Certificate Authority and Certificates with OpenSSL.

On the Apache side, you have to change your virtual host config and make it look something like:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /home/me/web/
ErrorLog /home/me/logs/error.log
SSLEngine On
SSLCertificateFile /home/ca/certs/mydomain.com.cert.pem
SSLCertificateKeyFile /home/ca/private/mydomain.com.key.pem
SSLCACertificateFile /home/ca/certs/cacert.pem
<Directory /home/me/web>
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
</VirtualHost>

Hat Tips

To be honest, my starting point was Ubuntu LAMP Server Guide, from where I took steps and then added more details where I thought they were needed.

Also helpful were: Apache2 SSL in Ubuntu; Apache2-SSL-Certificate for Ubuntu Feisty..How to install this missing script to get the SSL certificates up; SSL FAQ;

6 Responses to Apache 2.0 in Ubuntu

  1. Alejo Ceballos says:

    Good tutorial, as good as “Create a Certificate Authority and Certificates with OpenSSL”, but… Errr… Sorry about my ignorance… But… What now? Just type: “http://mydomain.com” in firefox and that’s it? I tried to configure the server name to “localhost”, but firefox keeps showing me “can’t establish a connection to the server at localhost”.

    So? Can you help?

    Alejo

  2. Alejo Ceballos says:

    Well well, I don’t know exactly what happened, but after installing two more packages (“sudo apt-get install apache2-mpm-prefork apache2-utils”) I was able to receive a different error message from my server (“https://localhost/”), something like “Secure Connection Failed”, “SSL peer was unable to negotiate an acceptable set of security parameters.” (Error code: ssl_error_handshake_failure_alert).

    Well, I imported my “cacert” to firefox (Firefox Preferences -> Encryption -> View Certificates -> Import), but no deal…

    I’ll keep trying, but if somebody can throw some light into this dark, I’ll appreciate.

    Alejo

  3. Alejo Ceballos says:

    Guess that’s my last post of the night…

    In the log file, all the messages are the same: “[error] Re-negotiation handshake failed: Not accepted by client!?”

    So… What am I missing?

    Thanks again… Bye.

  4. Alejo Ceballos says:

    I DID IT!!!

    Man!!! I love your posts!!! Both “https://codeghar.wordpress.com/2008/03/15/apache-20-in-ubuntu/” (to get Apache Server running) and “https://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/#comment-84” (to get may personal CA working)!!!

    Okay, just a small “add-on” to your posts:

    1. If you’re using Firefox, you need to have a client certificate, but IT MUST BE PCKS#12! So, after trying some time, with the help of “http://www.openssl.org/docs/apps/pkcs12.html”, I was able to create my PCKS#12 certificate.

    2. In “Firefox Preferences -> Encryption -> View Certificates”, select “Your Certificates” tab and import your out-of-the-box brand new PCKS#12 client certifcate… Just insert your secret pass phrase (do not ever forget it) and “voila”!!!

    Now you are perfectly able to access your beautiful HTTPS Apache Web Server (hmmmm, how will it work with Tomcat? But it is another story!)

    Thank you very much for all your patience!

    Best regards…

    Alejo Ceballos

  5. hs says:

    You had to get a certificate for your browser because of “SSLVerifyClient require”. It means that the client should have a “matching” certificate installed. If you don’t use that and its associated configuration, you do not need a client certificate. And glad that you found posts helpful.

%d bloggers like this: