Apache SSL

• Apache
• Apache Security
• OpenSSL
• PCI Compliance
• SSL Certificates

Install certificate files:

SSLCertificateFile /etc/ssl/certs/domain.com.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/domain.com.cabundle

A bare-bones SSL-enabled VirtualHost entry:

Listen 443
<VirtualHost _default_:443>
        ServerName domain.com
        DocumentRoot /var/www/localhost/htdocs
        <Directory "/var/www/localhost/htdocs">
                Options Indexes FollowSymLinks
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        SSLEngine on 
        SSLProtocol -all +SSLv3 +TLSv1
        SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/certs/domain.com.crt
        SSLCertificateKeyFile /etc/ssl/private/private.key
        SSLCertificateChainFile /etc/ssl/certs/domain.com.cabundle
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars          
        </Directory>
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
</VirtualHost>

In Ubuntu, Apache does not use Virtual Hosts by default. To change this, edit /etc/apache2/ports.conf and add NameVirtualHost *:443 to the SSL config.

Then, in /etc/apache2/sites-available/default-ssl change VirtualHost directive from _default_:443 to *:443

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}