One of the newer features to our site is an access control mechanism to force specific paths to only be delivered over SSL when our customers have particularly sensitive data. We already use Apache2 with mod_jk to talk to the Tomcat5.5 instance running our app so the only part left is to enable SSL!
First make sure mod_ssl is enabled:
root@reltest-tcj0:/var/log/apache2# a2enmod<br />
Which module would you like to enable?<br />
Your choices are: actions asis auth_anon auth_dbm auth_digest auth_ldap cache cern_meta cgid cgi dav_fs dav deflate disk_cache expires ext_filter file_cache headers imap include info jk ldap mem_cache mime_magic proxy_connect proxy_ftp proxy_http proxy rewrite speling ssl suexec unique_id userdir usertrack vhost_alias<br />
Module name? ssl<br />
This module is already enabled!<br />
Then we configure mod_jk to pass it’s SSL environment variables to Tomcat by adding the following to apache2.conf
JkExtractSSL On<br />
JkHTTPSIndicator HTTPS<br />
JkSESSIONIndicator SSL_SESSION_ID<br />
JkCIPHERIndicator SSL_CIPHER<br />
JkCERTSIndicator SSL_CLIENT_CERT<br />
Tell Apache2 to listen on the SSL port by editing ports.conf
Listen 443<br />
We want to make sure we have the latest common CA certificates in order to establish a trusted root for our new shiny signed certificate!
apt-get install ca-certificates<br />
If you have a lovely genuinely signed certificate like we do you might need to then add it’s intermediate certificate to the ca-certificates system. Move the certificate to /usr/share/ca-certificates then add it’s location to /etc/ca-certificates.conf
Now run update-ca-certificates to update the system’s certificate store (located in /etc/ssl/certs/ca-certificates.crt).
root@reltest-tcj0:/etc/apache2/sites-enabled# update-ca-certificates<br />
Updating certificates in /etc/ssl/certs....done.<br />
We want the same site to simply be available over SSL I’m going to duplicate the existing VirtualHost for that site specifying the use of port 80 for the original vhost and port 443 for the new one that uses SSL. The only change that needs to be made to the new vhost are the following SSL directives:
SSLEngine On<br />
SSLCertificateFile /etc/apache2/ssl/domain.com.crt<br />
SSLCertificateKeyFile /etc/apache2/ssl/domain.com.key<br />
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt<br />
Obviously making sure the keys are in the right place!
And lastly make sure that NameVirtualHost settings exist for both port 80 and port 443!
NameVirtualHost *:80<br />
NameVirtualHost *:443<br />