HTTPS and SSL notes:
Apache Web Server with HTTPS
1. Install Apache web server, start it and enable auto startup with command below:
sudo yum -y install httpd mod_ssl
sudo systemctl start httpd
sudo systemctl enable httpd
DONE !
2. Create self signed cert with command below:
sudo mkdir -p /etc/httpd/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/you-hostname.key -out /etc/httpd/ssl/you-hostname.crt
2.1. Ensure Common Name is same as desired domain name / hostname. If private IP are to be used to access the web server, use private IP as Common Name
3. Backup original SSL related configuration:
sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup
4. Create a virtual host at \etc\httpd\conf.d\you-hostname.conf:
Listen 443
<VirtualHost *:443>
ServerName you-hostname
ServerAlias you-hostname
ProxyPreserveHost On
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
RequestHeader set X-Forwarded-Proto "https"
TransferLog /var/log/httpd/you-hostname.log
ErrorLog /var/log/httpd/you-hostname.log
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/you-hostname.crt
SSLCertificateKeyFile /etc/httpd/ssl/you-hostname.key
</VirtualHost>
5. Test configuration with command, then restart httpd:
sudo httpd -t
sudo systemctl restart httpd
6. For reverse proxy, please ensure httpd allowed to make network connection:
sudo /usr/sbin/setsebool -P httpd_can_network_connect 1
7. Optionally, add lines below into \etc\httpd\conf.d\you-hostname.conf OR \etc\httpd\conf\httpd.conf:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Generate Certification Signing Request & Install CA certificate:
1. Generate certificate signing request (CSR)
> openssl req -nodes -newkey rsa:2048 -keyout /etc/httpd/ssl/you-hostname.key -out /etc/httpd/ssl/you-hostname.csr
2. Order CA cert from trusted CA with the generated CSR file
3. Get intermediate certificate (aka CA bundle) and CA signed certificate:
- ca-bundle.crt
- you-hostname.crt
4. Edit \etc\httpd\conf.d\you-hostname.conf:
<VirtualHost *:443>
ServerName you-hostname
ServerAlias you-hostname
ProxyPreserveHost On
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
RequestHeader set X-Forwarded-Proto "https"
TransferLog /var/log/httpd/you-hostname.log
ErrorLog /var/log/httpd/you-hostname.log
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/you-hostname.crt
SSLCertificateKeyFile /etc/httpd/ssl/you-hostname.key
SSLCertificateChainFile /etc/httpd/ssl/ca-bundle.crt
</VirtualHost>
5. Restart Apache Web Server
Tomcat with HTTPS via JSSE
- Pre-requitesite: JDK
- Reference:
1. Generate new keystore with private key and self signed certification, please take note that "first and last name" is the Common Name:
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
2. Open $TOMCAT_HOME/conf/server.xml and edit connector below with keystore generated in step 1 (this is example for Tomcat 8.5):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreType="jks" type="RSA"
certificateKeystoreFile="/path/to/keystore.jks"
certificateKeystorePassword="changeit" />
</SSLHostConfig>
</Connector>
3. Start Tomcat and access to https://localhost:8443/
Spring Boot with HTTPS
- Reference:
- https://www.baeldung.com/spring-boot-https-self-signed-certificate
1. Generate keystore via keytool 2. Add entry below into applications.properties:
server.port=8443
server.ssl.key-store-type=JKS
# support relative path like classpath:keystore.jks
server.ssl.key-store=/path/to/keystore.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=mydomain
server.ssl.enabled=true
HTTP to HTTPS
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://10.168.48.152
ProxyPassReverse / https://10.168.48.152