Table of Contents

Apache2_SSL_PHP5_MySQL5

Install

 apt-get install apache2 libapache2-mod-php5 mysql-server php5-mysql
 /etc/init.d/apache2 restart
 #I found that I had to restart apache once more to get php to work.

phpinfo test

 vi /var/www/phpinfo.php
 #Add in the following:
 <?php phpinfo(); ?>

Browse to: http://ipaddress/phpinfo.php

If the phpinfo.php file does not show

 /etc/init.d/apache2 restart

Default SSL Setup

 a2enmod ssl
 a2ensite default-ssl
 /etc/init.d/apache2 restart
 /usr/share/doc/apache2.2-common/README.Debian.gz

Browse to: https://ipaddress/phpinfo.php

Custom SSL Cert Setup

 mkdir /etc/apache2/ssl
 cd /etc/apache2/ssl
 openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.key -nodes -out hostcert.pem
 chmod 600 *
 
 vi /etc/apache2/sites-enabled/default-ssl
 #update the following:
 SSLCertificateFile    /etc/apache2/ssl/hostcert.pem
 SSLCertificateKeyFile /etc/apache2/ssl/hostkey.key

Debian SSL Cert Setup

The above config is my way of creating a SSL cert for apache using openssl. Debian squeeze has a make-ssl-cert utility.

See: /usr/share/doc/apache2.2-common/README.Debian.gz

Vhost Setup including SSL

This config sets up multiple vhosts, and allows https access to each vhost. If you use the default-ssl setup with debian squeeze you may get the error: warn _default_ VirtualHost overlap on port 443, the first has precedence

... waiting [[Fri|Apr 08 15:02:33 2011]] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Config Change

 vi /etc/apache2/ports.conf
 #Add-in the following above Listen 443
 NameVirtualHost *:443

Update Default vhosts

I prefer to tidy up the vhosts a little, calling vhost configs 01-sitexz, 02-sitexy. Note: the 01-sitexz, because it is listed first, ordered by filename, is the default vhost for the server. I.E. if you browse to the http://ipaddress you'll get the 01-sitexz vhost.

 cd /etc/apache2/sites-available
 cat default-ssl >> default
 mv default 01-default
 vi /etc/apache2/sites-enabled/01-default
 #change <VirtualHost _default_:443>
 #to
 <VirtualHost *:443>
  
 rm /etc/apache2/sites-enabled/*
 a2ensite 01-default
 #all a2ensite does is to create a symlink from sites-available into sites-enabled

Create second test vhost with ssl

 vi /etc/apache2/sites-available/02-test
 <VirtualHost *:80>
        ServerAdmin test@burkesys.com
        ServerName test.burkesys.com
        DocumentRoot /var/www/test
        CustomLog /var/log/apache2/access.log combined
        ErrorLog /var/log/apache2/error.log
        Loglevel warn
        <Directory />
                Options FollowSymLinks MultiViews
                AllowOverride None
        </Directory>
 </VirtualHost>
 <VirtualHost *:443>
        ServerAdmin test@burkesys.com
        ServerName test.burkesys.com
        DocumentRoot /var/www/test
        CustomLog /var/log/apache2/access.log combined
        ErrorLog /var/log/apache2/error.log
        Loglevel warn
        <Directory />
                Options FollowSymLinks MultiViews
                AllowOverride None
        </Directory>
 
        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/hostcert.pem
        SSLCertificateKeyFile /etc/apache2/ssl/hostkey.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [[2-6]]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [[17-9]]" ssl-unclean-shutdown
 </VirtualHost>

 a2ensite 02-test
 /etc/init.d/apache2 restart

Test

Browse to: http://ipaddress , https://ipaddress , http://test.server.com , https://test.server.com

You will have to accept the SSL cert warning, however all vhosts should show up correct.

Sample vhost config with Proxy

<VirtualHost *:80>
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://192.168.1.3:80/
        ProxyPassReverse / http://192.168.1.3:80/
        ServerName www.tom.me
        ServerAlias *tom.me
        CustomLog /var/log/apache2/access_tom.log combined
        ErrorLog /var/log/apache2/error_tom.log
</VirtualHost>
<VirtualHost *:443>
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / https://192.168.1.3:443/
        ProxyPassReverse / https://192.168.1.3:443/
        ServerName www.tom.me
        ServerAlias *tom.me
        CustomLog /var/log/apache2/access_tom.log combined
        ErrorLog /var/log/apache2/error_tom.log

        SSLProxyEngine On
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>