Tag Archives: apache

Apache setting and reading Environmental Variables

A common .htaccess issue: you need one for production and another for development.

Here’s a simple trick to set and read apache env vars.

1
2
3
4
5
6
7
8
9
10
11
12
13
<IfModule mod_rewrite.c>
  RewriteEngine On

  # do not force https on local environment
  RewriteCond %{SERVER_NAME} local.yoursite.net
  RewriteRule .? - [E=siteenv:local]

  RewriteCond %{HTTP:X-Forwarded-Proto} !https # not on https
  RewriteCond %{ENV:siteenv} !local # not on local environment
  RewriteRule !/status https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

  ...
</IfModule>

On this example we do not force HTTP when accessing via “local.yoursite.net” (a development environment)

Apache SSL Configuration for HTTPS and HTTP

HTTP

1
2
3
4
5
6
7
8
9
10
11
12
<VirtualHost *:80>
        ServerName yourdomain.com
        ServerAlias www.yourdomain.com
        DocumentRoot /var/www/yourdomain.com/httpdocs/web

        ErrorLog /var/www/yourdomain.com/logs/error_log
        CustomLog  /var/www/yourdomain.com/logs/access_log common

        <Directory /var/www/yourdomain.com/httpdocs/web>
                AllowOverride All
        </Directory>
</VirtualHost>

HTTPS (with certificate key chain)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<VirtualHost *:443>
        # http://support.godaddy.com/help/article/5349/installing-ssl-certificate-apache-2x
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.com.key
        SSLCertificateChainFile /etc/httpd/conf/ssh.chain/sf_bundle.crt
        # http://www.networking4all.com/en/support/tools/site+check/cipher+suite/
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        ServerName yourdomain.com
        ServerAlias www.yourdomain.com
        DocumentRoot /var/www/yourdomain.com/httpdocs/web

        ErrorLog /var/www/yourdomain.com/logs/error_log
        CustomLog  /var/www/yourdomain.com/logs/access_log common

        <Directory /var/www/yourdomain.com/httpdocs/web>
                AllowOverride All
        </Directory>
</VirtualHost>

Amazon Load Balancer setting SSL with Certificate Chain

First of all, let’s assume you have the following files with you:

  • yourdomain.key Your domain’s private Key
  • yourdomain.crt Your domain’s public Key
  • sf_bundle.crt The Certificate Chain

Step 1 – Preparing the files

Create a PEM-encoded version of your private key

1
openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem

Step 2 – Setting the certificate on Amazon

On your Amazon account go to Load Balancers > Your Load Balencer > Listeners

Load Balencer Protocol: HTTPS
Load Balencer Port: 443
Instance Protocol: HTTP
Instance Port: 80
Cipher: ELBSample-OpenSSLDefaultCipherPolicy
Certificate Name: Yourdomain.com
Private Key: <past yourdomain.pem file here>
Public Key Certificate: <past yourdomain.crt file here>
Certificate Chain: <past sf_bundle.crt file here>

Note: This means every request to the Load Balancer will be made on HTTPS. The traffic from the Load Balancer to the destiny instance will be regular HTTP. This way you don’t have to setup any certificate on your instance’s Apache/Nginx web server.

Step 3 – Test

If everything went as expected you should be able to open https://yourdomain.com.

Now, use a SSL check tool to see if everything is OK: http://www.sslshopper.com/ssl-checker.html#hostname=https://yourdomain.com

You should see something like this:

2833574