Apache 2.2 with SSL on Windows

Apache 2.2 with SSL on Windows

Comments 16 comments

There are a few services I run that I need to access over the web that I do not want anyone watching (phpMyAdmin, for example). The simple solution is to encrypt this traffic with SSL certificates. Here is how I did it on Windows with Apache 2.2:

  • Install the latest Apache 2.2 with OpenSSL: http://httpd.apache.org/download.cgi.
  • Open the Command Prompt and browse to [apache 2.2 path]/bin.
  • Enter openssl req -config ../conf/openssl.cnf -new -out foo.csr -keyout foo.pem. Fill out this information the best you can but you can leave most of it blank. The most notable exceptions are the PEM Pass Phrase fields and the Common Name field (which should be the domain name you will use this certificate on). It is best that you leave the Challenge Password at the end blank.
  • Enter openssl rsa -in foo.pem -out foo.key. You will be asked to reenter the password you entered in the last step.
  • Enter openssl x509 -in foo.csr -out foo.crt -req -signkey foo.key -days 3650. You can replace 3560 with however long you want to certificate to be valid for.
  • You will now wind up with four files: foo.crt, foo.csr, foo.key, and foo.pem. At this point you really only need foo.crt and foo.key and may delete the other two (unless you want to sign more certificates later on).
  • Move your two remaining files somewhere safe (not any place where the web server will be able to serve them to clients).
  • Open [apache 2.2 path]/conf/httpd.conf in your favorite text editor. Uncomment out the line LoadModule ssl_module modules/mod_ssl.so.
  • Open [apache 2.2 path]/conf/extra/httpd-ssl.conf. Uncomment out the line Listen 443.
  • In Windows Explorer browse to [apache 2.2 path]/conf and open up the configuration for the site you want to SSL enable. Make sure you are setup to listen on port 443 if you are running a virtual host. Add the lines SSLEngine on, SSLCertificateFile "[foo.crt path]", and SSLCertificateKeyFile "[foo.key path]".
  • Restart Apache 2.2: net stop apache2.2 and net start apache2.2

Some notes:

  • Certificates can only be used for whole domains or virtual hosts as opposed to a single directory. However with some clever allows, denies, and redirects in your web root you can do just about anything.
  • Only one SSL connection per IP on the same server is allowed. This is by design within SSL.
  • These certificates are self-signed. That means that anyone who views your new secure site will most likely be greeted with a warning they must accept before continuing. You setup the certificates yourself so you know there is nothing fishy going on but they might not know that. If you want to avoid this you will have to put out the cash to Verisign or someone else who can offer the same service.
  • Check out the SSLCipherSuite and SSLCARevocationFile directives (which you will notice are missing in my instructions) to further lock down your site.
  • Remember that if you ever change your certificate in any way the client may need to remove their old certificate before they will be able to view the site again.
  • I generally replace foo with the domain name.
  • Since this was always meant as a quick-and-dirty howto you can find more information at the Apache site.
  • I am running Windows XP SP3, Apache 2.2.14, and the included OpenSSL 0.9.8k.

16 thoughts on “Apache 2.2 with SSL on Windows

  1. Hey Nick, I’ve been followed each step, however my Apache doesn’t restart once I uncomment the line “Include conf/extra/httpd-ssl.conf” at the httpd.conf. No further errors’ logs either.

    Any idea what could be happening???

    Tks anyway.

    Reply

    1. Exact same problem here as well. As soon as i uncomment “Include conf/extra/httpd-ssl.conf” i can no longer start the server. Uninstalled, deleted the remaining directory, and reinstalled following the instructions several times. Just won’t work.

      No errors get written to the log. All i get is an extremely unhelpful dialog error that says: “The requested operation has failed!”

      Reply

      1. Oh. My. God. I finally figured it out. I previously had Apache2.2 with OpenSSL up and running on WinXP x86 in a matter of minutes. And now i have been trying to set it up on Win7 x64 for nearly 5 hours. The problem i had was the parenthesis in the “Program Files (x86)” directory. Apparently the parser that reads the SSLSessionCache line in httpd-ssl.conf gets tripped up by “(x86)” when it’s looking for “ssl_scache(512000)”

        Installed to another path that is free of parenthesis and it works exactly like i expected it to all along.

        Unbelievable…

        Reply

        1. Hi Mike3,

          I could find a solution without changing a install directory. use a short name (PROGRA~2) and replace it with (x86) like this. shmcb:C:/PROGRA~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)

          it worked for me.

          yasu

          Reply

  2. This is BY FAR the best rundown of how to do this, and make it so fricken easy. I spent hours looking for instructions that didn’t suck. Thank you!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    -Mike

    Reply

  5. Brilliant instructions, best guide on the internet!

    The only thing missing was an instruction to uncomment the following line in httpd.conf:

    #Include conf/extra/httpd-ssl.conf

    Reply

  6. Hi,

    Using your guidelines , I have successfully started apache server.

    But when I entering https://${IP_ADDRESS} in browser, page is not coming .

    What can be an issue?

    My apache running on 9666 port (Listen 9666 in conf/httpd.conf)

    Ketan

    Reply

  7. Apache service running successfully. But when I access from browser to “https://domain-name” The page say privacy error “Your connection is not private” with red and line on https. Please help. thank you.

    Reply

  8. After generating certificates edit these files (httpd.conf & httpd-ssl.conf)

    • -httpd.conf (C:Program Files (x86)Apache Software FoundationApache2.2conf):-

    Remove the comment symbol (“#”) from the row
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule proxy_http_module modules/mod_proxy_http.so

    Remove the comment symbol (“#”) from the row
    Include conf/extra/httpd-ssl.conf

    Add the following rows at the end of the httpd.conf file and replace tomcathost with the Tomcat URL and port with the Tomcat HTTP port configured in section Ports.Note! It is important to end the last row with the “/” sign.

    BalancerMember http://tomcathost:8080

    ProxyPass / balancer://mycluster/

    • -httpd-ssl.conf (C:Program Files (x86)Apache Software FoundationApache2.2confextra):-

    # Inter-Process Session Cache:
    # Configure the SSL Session Cache: First the mechanism
    # to use and second the expiring timeout (in seconds).
    SSLSessionCache “dbm:C:/Program Files (x86)/Apache SoftwareFoundation/Apache2.2/logs/ssl_scache”
    #SSLSessionCache “shmcb:C:/Program Files (x86)/Apache SoftwareFoundation/Apache2.2/logs/
    ssl_scache(512000)”
    SSLSessionCacheTimeout 300

    # Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate. If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase. Note that a kill -HUP will prompt again. Keep
    # in mind that if you have both an RSA and a DSA certificate you
    # can configure both in parallel (to also allow the use of DSA
    # ciphers, etc.)
    SSLCertificateFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/foo.crt”
    #SSLCertificateFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/server-dsa.crt”

    # Server Private Key:
    # If the key is not combined with the certificate, use this
    # directive to point at the key file. Keep in mind that if
    # you’ve both a RSA and a DSA private key you can configure
    # both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/foo.key”
    #SSLCertificateKeyFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/server-dsa.key”

    Reply

  9. Edit the below two files (httpd.conf & httpd-ssl.conf)

    • -httpd.conf (C:Program Files (x86)Apache Software FoundationApache2.2conf):-

    Remove the comment symbol (“#”) from the row
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule proxy_http_module modules/mod_proxy_http.so

    Remove the comment symbol (“#”) from the row
    Include conf/extra/httpd-ssl.conf

    Add the following rows at the end of the httpd.conf file and replace tomcathost with the Tomcat URL and port with the Tomcat HTTP port configured in section Ports.Note! It is important to end the last row with the “/” sign.


    BalancerMember http://tomcathost:8080

    ProxyPass / balancer://mycluster/”

    • -httpd-ssl.conf (C:Program Files (x86)Apache Software FoundationApache2.2confextra):-

    # Inter-Process Session Cache:
    # Configure the SSL Session Cache: First the mechanism
    # to use and second the expiring timeout (in seconds).
    SSLSessionCache “dbm:C:/Program Files (x86)/Apache SoftwareFoundation/Apache2.2/logs/ssl_scache”
    #SSLSessionCache “shmcb:C:/Program Files (x86)/Apache SoftwareFoundation/Apache2.2/logs/
    ssl_scache(512000)”
    SSLSessionCacheTimeout 300

    # Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate. If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase. Note that a kill -HUP will prompt again. Keep
    # in mind that if you have both an RSA and a DSA certificate you
    # can configure both in parallel (to also allow the use of DSA
    # ciphers, etc.)
    SSLCertificateFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/foo.crt”
    #SSLCertificateFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/server-dsa.crt”

    # Server Private Key:
    # If the key is not combined with the certificate, use this
    # directive to point at the key file. Keep in mind that if
    # you’ve both a RSA and a DSA private key you can configure
    # both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/foo.key”
    #SSLCertificateKeyFile “C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/server-dsa.key”

    Reply

  11. Hi.. Im facing some issues in setting up Apache in SSL.
    Im not able to rewrite the url in https. Pls help

    Reply

  12. I have configured my APACHE to support SSL. If my url (tone path) is not encrypted, song is getting played. In case my url is ecrypted, song is not getting played.

    Suppose my apache is running and im trying to prelisten a song my url will be like:

    https://IP:HTTPSPORT/exp/M4ZFL5ehOYRvvTmnMBclhafDBls4FYFktc+jGGbssaGHFdsghfaf45HGFshFHGbdjdd.

    I have configured my httpd.conf like below:

    ExpiresActive On
    ExpiresDefault “access plus 0 seconds”
    ExpiredByType audio/x-wav “access plus 0 seconds”
    RewriteEngine On
    RewriteLock “D/Apache2.2/myLock.txt”
    RewriteLogLevel 1
    RewriteMap crypt “prg:D:/java home “=Dcrypt.properties=D/Apache2.2/cgi-bin/crypt.properties ” classpath …
    RewriteRule ^/exp/(.*)$ $(crypt:1$) [pt]

    But the /exp is not able append after my Port.

    How to resolve the issue.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *