Mediawiki/Force SSL
(→apache config) |
|||
| Line 14: | Line 14: | ||
==apache config== | ==apache config== | ||
| − | comment | + | comment out the following from /etc/httpd/conf/httpd.conf |
#NameVirtualHost *:443 | #NameVirtualHost *:443 | ||
| + | #Listen 443 | ||
Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf | Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf | ||
#SNI config - tells apache to use named virtual hosts on the secure port | #SNI config - tells apache to use named virtual hosts on the secure port | ||
NameVirtualHost *:443 | NameVirtualHost *:443 | ||
| − | + | Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented) | |
| − | + | Listen 443 | |
==create key,csr, and self-signed crt== | ==create key,csr, and self-signed crt== | ||
Revision as of 10:55, 29 April 2014
Contents |
Overview
All instructions done on Oracle Linux 6.5
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache
install mod ssl
~$ sudo yum install mod_ssl
If you cannot find the package, update your cache and search
~$ sudo yum check-update ~$ sudo yum search ssl ... =============================== N/S Matched: ssl =============================== ... mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
apache config
comment out the following from /etc/httpd/conf/httpd.conf
#NameVirtualHost *:443 #Listen 443
Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf
#SNI config - tells apache to use named virtual hosts on the secure port NameVirtualHost *:443
Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented)
Listen 443
create key,csr, and self-signed crt
http://www.akadia.com/services/ssh_test_certificate.html
create directories
since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is:
/etc/ssl/certs/
create key
~$ openssl genrsa -des3 -out server.key 2048
generate csr
~$ openssl req -new -key server.key -out server.csr Country Name (2 letter code) [GB]:CH State or Province Name (full name) [Berkshire]:Bern Locality Name (eg, city) [Newbury]:Oberdiessbach Organization Name (eg, company) [My Company Ltd]:Akadia AG Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your server's hostname) []:public.akadia.com Email Address []:martin dot zahn at akadia dot ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
backup & remove passphrase from key
unless the passphrase is removed, apache will ask for the passphrase whenever it is started.
~$ cp server.key server.key.org ~$ openssl rsa -in server.key.org -out server.key
generate self-signed cert
~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch Getting Private key
add ssl to virtual host
add the following to your virtual host config
SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
edit mediawiki LocalSettings.php
http://www.mediawiki.org/wiki/Manual:$wgServer
Now lets go to LocalSettings.php and edit the site file:
~$ sudo vi /var/www/html/servername/mediawiki-1.22.6/ ## The protocol and server name to use in fully-qualified URLs $wgServer = "//servername.com"; ## Adding $wgCanonicalServer for locations that don't support protocol relative urls (default if it cannot understand "//servername.com" $wgCanonicalServer = "https://servername.com";
