Modssl allows secure transmission using ssl encryption. You can recognize that as “https://” in front of the page address. Secure transmission is important for passwords and sensible information. A good example for use of secure transmission is online banking.
Create certificates
1. You need Linux. In order to create Ccertificates you need to install “openssl”.
2. Create certificates:
1 2 3 |
openssl genrsa -out server.key -des3 1024 openssl req -new -x509 -days 1460 -key server.key -out server.crt openssl rsa -in server.key -out server_without_passwd.key |
Hint: “Common Name” is the domain name or the IP address of the Servers. It should be “yourAccoutName.dyndns.org” or any other Dyndns name.
3. Now copy the following files in the conf directory of apache:
- server.crt
- server_without_passwd.key
Adapt the apache.conf
Finally you must integrate moddssl into apache.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
Listen 443 # Add after "Listen 85" to apache.conf # [...] DocumentRoot "/var/media/data/apache/htdocs" ServerName 192.168.178.1 ServerAdmin radislv@lavabit.com ErrorLog /var/media/data/apache/logs/error.log TransferLog /var/media/data/apache/logs/apache_access_log SSLEngine on SSLCertificateFile /var/media/data/apache/conf/server.crt SSLCertificateKeyFile /var/media/data/apache/conf/server_without_passwd.key SSLOptions +StdEnvVars <Directory "/var/media/data/apache/cgi-bin"> SSLOptions +StdEnvVars CustomLog /var/media/data/apache/logs/ssl_request.log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
In the example configuration this host is commented out.
Testing
If everything is correctly set up, the homepage should be available: https://192.168.178.1
NOTE: per default modssl uses port 443. Hence the remote access uses the same port. As a consequence there is a conflict: mou have to change the port of one of the applications, e.g. switch remote access to port 444. In that case we would have the following addresses:
- Remote access: https://192.168.178.1:444
- Apache(modssl): https://192.168.178.1 or https://192.168.178.1:443
External secure access
1. In order to enable secure access from the outside, you need a change in ar7.cfg at the “forwardrules”:
1 2 3 4 |
forwardrules = "udp 0.0.0.0:5060 0.0.0.0:5060", [...] "tcp 0.0.0.0:443 0.0.0.0:443 0 # apache modssl" [...] |
See also section “ar7.cfg”
2. Now your site should be reachable from the outside: https://[yourIp]/
“yourIp” has to be replaced by the correct IP address. The easiest way to find it is through hier.
Example: https://123.123.123.123/