ssl redirect by HC121003063046


									          Apache Secure Connection Redirection

This document will teach you how to implement a basic redirect from a non-secure
connection to a secure one.

The following example is rather basic and does have some limitations (tailored to our
specific situation), so I'll try to include some more information on how to adapt it to your
situation, but I wont have tested it.

On your server (I'm assuming its an Apache Linux/Unix server) you will need the
mod_rewrite module enabled. Below are the steps (that worked for me) to do this.

Fresh Apache compile:

      If this is a fresh install, then run the following commands (my installation):

             Untar the Apache2 file:

              $ tar -zxvf httpd-2.0.54.tar.gz

             Create a file called with the following lines in it:

              ./configure --prefix=/usr/local/apache2 \
                      --mandir=/usr/local/man \
                      --enable-so \
                      --enable-ssl=shared \

             Change the permissions on the file:

              $ chmod 755

             Now configure apache with the following succession of commands:

              $ ./
              $ make && make install

             Now edit /etc/rc.conf and add the following lines:


             Start the server by typing in the following command:

            $ /usr/local/apache2/bin/apachectl startssl (this wont work until you have
completed the following “Create SSL Certificates” section)
   Create SSL certificates

          Create the SSL certificate key in your /root directory:

           $ cd ~
           $ openssl genrsa -des3 -out server.key 1024

          Enter in a pass phrase and make sure you remember it!

          Now we need to make a Certificate Signing Request, you will be prompted
           for information regarding the new certificate:

           $ openssl req -new -key server.key -out server.csr

          Make sure you enter your FQDN for the "Common Name" portion.

          Now sign the newly created certificate:

           $ openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -
           out /root/server.crt

          Ok, your certificate is signed and valid for 365 days, we now need to copy
           the files to the appropriate directory for Apache to use them:

           $ mkdir /usr/local/apache2/ssl.key
           $ mkdir /usr/local/apache2/ssl.crt
           $ chmod 0700 /usr/local/apache2/ssl.key /usr/local/apache2/ssl.crt
           $ cp server.key /usr/local/apache2/ssl.key/
           $ cp server.crt /usr/local/apache2/ssl.crt/
           $ chmod 0400 /usr/local/apache2/ssl.key/server.key
           $ chmod 0400 /usr/local/apache2/ssl.crt/server.crt

          Edit the ssl.conf file in /usr/local/apache2/conf and add the following lines:

           In the <VirtualHost _default_:443> section change the following line:

           In the <Directory "/usr/local/apache2/htdocs"> section add the following line:

           SSLOptions +OptRenegotiate

          Now add the following lines to the end of

           RewriteEngine on
           RewriteCond %{HTTPS} off
           RewriteRule ^(.*) https://%{HTTP_HOST}%3
Manual Installation:

      If this is an already ssl enabled and customised apache installation then you will
       need to complete the following steps:

      Inside the httpd.conf file uncomment the line LoadModule rewrite_module
       modules/ (remove the pound '#' sign from in front of the line)
      Also find the line ClearModuleList is uncommented then find and make sure that the
       line AddModule mod_rewrite.c is not commented out.
      Now that you have mod_rewrite enabled, you need to add the following lines to your
       httpd.conf file:

              RewriteEngine on
              RewriteCond %{HTTPS} off
              RewriteRule ^(.*) https://%{HTTP_HOST}%3

There are some limitations to this method though. This will staticly redirect the client
browser (i.e. always redirected to the root of htdocs) not dynamically (i.e. redirected to
requested uri). I did it this way because everyone that visits our webpage HAS to read our
company policy before they access our site.
The following three lines theoretically should fix this problem:

              RewriteEngine on
              RewriteCond %{HTTPS} off
              RewriteRule ^(.*) https://%{HTTP_HOST}/%1

The following links should help you gain a basic understanding of using mod_rewrite.
Once you get used to it, it can be incredibly powerful.

This document was created using OpenOffice 2.0 RC1 (very good)

To top