Securing an Apache Virtual Site with a Self Signed Certificate

This article follows the dev virtual site which can be viewed here. In that tutorial we created a virtual site called new site. The site we created was http meaning the packets are sent unencrypted. This means passwords and other data sent will be viewable to others on the network. A password to log into a content management system can easily be sniffed out. We can prevent this from happening by using a self signed TLS certificate, which will encrypt our traffic.

Let’s start by making a directory to store the certs

mkdir /etc/apache2/ssl

Next we will enter that directory and create a cert and private key inside of it.

cd /etc/apache2/ssl
sudo openssl req -x509 -newkey rsa:4096 -keyout newsite.local.key -out newsite.local.crt -days 365 -nodes

Next we will copy the default SSL config file

cd /etc/apache2/sites-available
sudo cp default-ssl.conf newsite-ssl.conf

We will now edit the config file so we have the following

                ServerAdmin webmaster@localhost
                ServerName newsite.local

                DocumentRoot /var/www/html/newsite/public_html

                ErrorLog /var/www/html/newsite/logs/error.loca
                CustomLog /var/www/html/newsite/logs/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/apache2/ssl/newsite.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/newsite.local.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                                SSLOptions +StdEnvVars

We will now enable the site.

sudo a2ensite newsite-ssl.conf
sudo service apache2 reload

The final step is to add a redirect to the newsite.conf file. Add the following line inside of theĀ <VirtualHost *:80> tag

Redirect / https://newsite.local

If you did everything correctly you should get a warning that the connection is not secure. This is simply because the cert is not signed by a central authority. Your packets will be sent encrypted. Obviously this should not be done on a production server. For a production server check out Let’s Encrypt.

Published by burnedfaceless

Brian Abbott is a student at Georgia Southern University's Armstrong campus in Savannah, GA.

Leave a comment

Your email address will not be published. Required fields are marked *