Saltar a contenido

mod_ssl on Rocky Linux in an Apache web server environment

The Apache web server has existed for many years now. mod_ssl provides greater security for the web server and is installable on almost any version of Linux.

This procedure will get you up and running with Rocky Linux and mod_ssl in an Apache web server environment.

Prerequisites

  • A workstation or server, preferably with Rocky Linux already installed.
  • Able to run commands as root or sudo to elevate privileges.

Install Rocky Linux Minimal

When installing Rocky Linux, we used the following sets of packages:

  • Minimal
  • Standard

Run updates

First, run the system update command to let the server rebuild the repository cache to recognize the packages available.

dnf update

Enabling repositories

With a conventional Rocky Linux server installation, all necessary repositories will be in place.

Check the available repositories

Just to be sure check your repository listing with:

dnf repolist

You will get the following:

appstream                                                        Rocky Linux 8 - AppStream
baseos                                                           Rocky Linux 8 - BaseOS
extras                                                           Rocky Linux 8 - Extras
powertools                                                       Rocky Linux 8 - PowerTools

Installing packages

To install mod_ssl, run:

dnf install mod_ssl

To enable the mod_ssl module, run:

apachectl restart httpd apachectl -M | grep ssl

You will see:

ssl_module (shared)

Open TCP port 443

To allow incoming traffic with HTTPS, run:

firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

Ensure that your goal is to have the website open to the world when you add this rule! If not, change the zone or configure the firewall to correct that.

At this point you should be able to access the Apache web server via HTTPS. Enter https://your-server-ip or https://your-server-hostname to confirm the mod_ssl configuration.

Generate SSL/TLS certificate

To generate a self-signed certificate for host rocky8 with 365 days expiry, run:

openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt

You will see the following output:

Generating a RSA private key
................+++++
..........+++++
writing new private key to '/etc/pki/tls/private/httpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rocky8
Email Address []:

After this command completes, the following two SSL/TLS files will be there:

ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt

-rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt
-rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key

Configure Apache web server with the SSL/TLS certificates

To include your newly created SSL/TLS certificate into the Apache web server configuration open the ssl.conf file by running:

nano /etc/httpd/conf.d/ssl.conf

Change the following lines:

FROM:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

TO:

SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

Reload the Apache web server by running:

systemctl reload httpd

Test the mod_ssl configuration

Enter the following in a web browser:

https://your-server-ip or https://your-server-hostname

To redirect all HTTP traffic to HTTPS

Create a new file by running:

nano /etc/httpd/conf.d/redirect_http.conf

Insert the following content and save file, replacing "your-server-hostname" with your hostname.

<VirtualHost _default_:80>

        Servername rocky8
        Redirect permanent / https://your-server-hostname/

</VirtualHost>

Apply the change by running:

systemctl reload httpd

The Apache web server will redirect any incoming traffic from http://your-server-hostname to https://your-server-hostname URL.

Final steps

You have seen how to install and configure mod_ssl, and create a new SSL/TLS certificate to run a web server under HTTPS service.

Conclusion

This tutorial shows the basic installation and use of mod_ssl.

Author: Garthus

Contributors: Steven Spencer, David Hensley, Ganna Zhyrnova