Configuring HTTPS or SSL on apache web server

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys this is a mitzvah today I'm going to create a tutorial on how to set up SSL or tht TPS on Santos okay first of all um in order to setup HTTPS we need to make sure that the party is installed let's just do a quick test grab - I HTTP D alright the httpd package is not installed if you guys follow my channel there's a video tutorial on how to install Apache so just follow that tutorial I'm just going to do this real quick alright so in the background I just installed the httpd package so let's check that okay alright so if I do the service httpd start the httpd service is running here so it's running right but I mean just as you know you can check the the HTTP HTTP data patty you know can serve the web on port 80 or the HTTP and the port 443 which is the HTTPS all right so the port 80 is the HTTP and the port 443 is the HTTP right so we can we can check which ports the Apache is listening on by issuing a command netstat - too bad and then you can just do you know what let me just show it in the command line so you can actually type net stat let's stat - t UPN - pen grip - IH TTP so if you look here the Apache is listening on all the IP addresses on port 80 right and this is the process ID this is the name Apache and it's listening right so it's not listening on 443 which is the HTTPS or the SSL so now we are going to configure HTTPS okay so in order for us to do that we need to install em install the mode underscore SSL package let's wait okay so it's installing the mode SSL okay now if I restart the httpd and from the netstat command again you will see that it's listening on 443 now right okay so it's listening on HTTP as well now let's go ahead and look at the configuration file so you guys are familiar that the HTTP main configuration is this file at the HC httpd.conf httpd.conf right so for the SSL it's usually I mean by default it's in the kanji and then the ssl.com file so let's go ahead and open that file all right ty and what let me just do a humvee I am real quick I'm just installing VI am so that it highlights the directives it's easier to see it that way a couple more seconds here all right here we go all right so now what I'm going to do is I'm going to see profile and then what I'm going to do is you know like let me do yeah at sea bass are see I'm just going to you know create an alias VI equals V I am so that you know it I don't have to type the I am ill just VI HC is silicon t ssl.com okay now it highlights the keyword and it it's easy to see so the first thing you notice here is that it is loading the mode underscore SS l dot s au which is a third object it's like this here library that this came from when we install the mode underscore SSL package the lesson 443 directive tells the Apache to listen on the 443 port alright I'm just going to go over the important can't wreck tips all right we're not going to talk about that we're not going to talk about that all right so now let's look at this so the virtual host it's just like configuring the regular Apache but you know this virtual host the default one comes with the Apache when you install the mode SSL right okay let's go further down here and scroll it all the way alright so this is the default error log for the SSL this is the transfer log I'm in the access log and now the other directive SSL ending on turns the SSL on and then the SSL protocol all - SSL V - so what it is doing is it is enabling all the SSL protocols but disabling the version - it's doing that because the SSL v2 at the time when this Apache was probably compiled was known to be vulnerable but now as of today the SSL v3 is is known to be vulnerable as well so in order to secure you would wanna you would want to do this what you can do is you can just - all and then plus TLS v1 and Plus you know what actually you can just do all - SSL v2 and - SSL v v3 okay so that way SSL v2 and v3 are disabled all right so now the next thing is the SSL cipher suite so whatever the you know ciphers are used for encryption so here also you can disable like the low-low ciphers hood and stuff like that that would come under Apache security and I can talk about that probably in a later video when we can you know we reach there about these securing the Apache watch out for my you know videos subscribe to my channel and now for the SSL just to give you a little background here what happens is the server has a certificate file if you look at here this is the certificate file this is like the public key if you will the when the browser requests our HTTPS pays the Apache Gibbs this serves it's this file and then the client or the browser uses this certificate to encrypt the data and send it to the sender request to the server the server has this key file which it uses to decrypt a request and then it's going to encrypt the message again and then send it to the client where the client will use this certificate to decrypt the message again so anything in between the server and the client are encrypted and as you know if someone is during the packets in between are the sniffing the network are not able to see any meaningful messes like in the httpd is DTP you would just see the plain text message back and forth alright so you got to remember these certificate file the SSL certificate file and the key file those are the key words that you use to specify where the certificate is located and the key file is located all right let's go down further down and then that is just some regular settings and then there's another one that says the custom log the SSL request log it's just another log you know which is used to store the access log okay so that's it and then the virtual host is going to close this is the default virtual host configuration so now if I go and browse the page let's say okay I'm just gonna say is T TP s 192 dot 168 151 it says that the connection is untrusted right it's because the certificate is not signed by a digital signing Authority there are certain certificate signing authorities out there who are trusted and authorized to sign these certificates they'll verify some information and then they'll certify the certificate so so that you know add the warnings are not generated when you use those kind of certificates now you just click on the understand the risk and you add an exception I'm just going to add to the temporary exception and then you get this page now if you click on this icon here the lock sign you can do this on any HTTP web site and then you will get this message now you can view more information and then you can click on View certificate so now you see that the certificate the common name or the name of the server is localhost their local domain some organizations some organizational unit and all that information okay and it has all the expiration date and so forth all right so the HTTPS worked so now if we wanted to configure our website which supports HTTP let's say we're going to do the example calm the you know regular example.com so what you can do is you're going to see virtual host right start calling 443 all right and then you can see the server name it's just like the regular I usually like to close the tags as soon as I open server name it can be WWE example.com right and then the server server admin admin at example.com and then the document root bar del W HTML example.com it's just like configuring the regular HTTP based website that is it for the basic configuration I mean you can watch my Apache HTTP based our tutorial for more information on that I was like why is it white there was a typo okay let's see aa regular check the syntax okay it says the default okay there's another thing to note it says the virtual host overlap on port 443 the first has precedence right like we talked in the Apache HTTP regular HTTP tutorial you have to enable the name based hosting that you can do with the VI add C httpd.conf D SSL Khan and then you can just say name virtual host star : 443 we used to do that for port 80 right so now we're going to do the same for its SL it's DVD - T so okay it's DVD - T now it is saying it is saying that the the document rule does not exist right yeah because we don't have anything yet so let's go ahead and create the directory VAR w HTML example.com right okay and then let's create a file in there example.com slash index dot HTML so we're going to say ah welcome to my first ATT PS are the SSL website right okay let me close the h1 tag all right let's now check the syntax okay don't worry about this our cannot reliably determine the server's fully qualified domain for name for now because the hostname is not a fully qualified domain name so it's complaining about that now um let's let's see service httpd restart right okay something's wrong here our log is TPD la server should be a sessile aware okay I'm sorry about that yep so we miss the most important thing right we forgot to tell which certificate and key file to use right okay 5ee alright so that at csdb deaqon d ssl.com like i told you in the beginning that is those are the most important keywords and then i forgot to type that in all right so what we are going to do is we're gonna we're gonna let's just copy it here alright and then I'm going here all right so I'm pasting that we don't need the comments so I'm just deleting them so the difference between the non HTTP and HTTPS website is that you are going to tell the web server the Apache that you are going to have to use this key file and this certificate file also um you know what let's just verify if it works now so resistivity restored okay it's still failing eyes I know what it is but I just wanted to confirm before that we need to do SSL engine on right service is TTP do restart all right that was it so let's go back to the configuration file so the most important things that you need to you need to turn the SSL engine on and you need to specify this certificate and the key at the minimum right and the rest of the configuration is the same as the regular HTTP all right so now let's go ahead and and then so now in order to we said that this server name is the wwx ample calm but you know that DNS probably points to something else so in order for us to browse that with using the name we need to tell our host file at the 192 168 151 is the address for a dub-dub example.com so ping doc dot example.com and then ok alright so now let me install our you know quick and dirty text browser real quick install links ok this is a command-line browser you can just you know for quick checks I like it alright so so links HTTP develop dot example.com okay so the SSL error was most likely because it's a self-signed certificate and you have to accept the you know exception so we'll tie it in a home browser here okay here but this machine is different from the UNIX machine right so even though we have the host file setup here for the example.com but the the Windows machine that I'm using here with the browser does not know that the example.com belongs there right so I've got to edit my host file before the my machine results to that IP address give me a second here all right this is my host file for my Windows machine so I'm going to tell it that one 91 6800 dot 51 is dub-dub dot example.com all right I want to save this file yeah okay and then let's see if I do a ping ping dub dub example.com it's going to return that IP address so we're good to go now let's try the HTTP dub dub dot example comm all right this was causing the links liberal to command-line browser do not open the website I understand the risk it exception I'm just going to do it one time and then see we have the welcome to my first SSL website and then it's using this certificate right it's using the same certificate because we haven't created a certificate yet it's using the same certificate and then the connection between the the browser and the server is encrypted so it's a secure one even though it's a self-signed certificate as long as you trust a certificate that someone hasn't tampered with you know that the certificate is yours it's good I mean you don't have to have the digitally signed certificate by the trusted Authority if you are using it for your own purposes but you don't want to use the self signed certificate in your customer-facing website that's given away everyone and then though that will make the customers you know doubt your website someone come on you know so that's how you configure the SSL website so you know the same way you can configure multiple multiple website just like you did for the HTTP and then you can have the certificate and the key file different key files and certificates for each host right so that's how you do it I hope you guys enjoyed this video you learn something from here I'm going to come up with the next video I'm going to come up with you know I'm in generating the self signed certificate so that you can create different certificates for your different website so you can do this self signed certificate okay alright guys hope you guys enjoy the video umm just for you in the next video alright bye

Info

Channel: Amit Nepal

Views: 63,042

Rating: undefined out of 5

Keywords: https, ssl, apache ssl, apache https, linux web server, centos apache ssl, centos apache https

Id: YR6-6XUC3sY

Channel Id: undefined

Length: 19min 57sec (1197 seconds)

Published: Sat Oct 17 2015