Apache SSL


on Ubuntu, you won’t survive long w/o those

    a2enmod headers
    a2enmod ssl

and enable

    systemctl restart apache2


grab some certificates and setup the daemon accordingly. and here are some details on cipher suites

cd /etc/httpd/conf/
vi certs.conf

    #Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
    Header always set Strict-Transport-Security "max-age=31536000"
    SSLEngine on
    SSLProtocol all -TLSv1 -SSLv2 -SSLv3
    SSLHonorCipherOrder off
    SSLCipherSuite "ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES"

SSLCertificateFile /var/lib/dehydrated/certs/DOMAIN.TLD/cert.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/DOMAIN.TLD/privkey.pem
SSLCertificateChainFile /var/lib/dehydrated/certs/DOMAIN.TLD/chain.pem

Note. SSLv2 and SSLv3 and TLSv1.0 are disabled! TLS v1.1 & v1.2 are allowed!

Allow wheeled users to read the apache logs on CentOS/RHEL,

chown -R root:wheel /etc/httpd/
chmod 750 /etc/httpd/
chmod 640 /etc/httpd/*

Setup a common config headers that globally enables SSL for all the vhosts (replacing the CentOS/RHEL ssl.conf template),

cd /etc/httpd/conf.d/
ls -lhF /usr/libexec/httpd-ssl-pass-dialog
ls -lhF /run/httpd/sslcache # will be created
ls -lhF /dev/urandom
vi 00ssl.conf

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache     shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup   file:/dev/urandom  256
SSLRandomSeed connect   builtin
SSLCryptoDevice     builtin

Reverse Proxy against an SSL service

Setup Apache SSLProxyEngine (reverse proxying an SSL enabled service): you need to add that in the vhost config,

SSLProxyEngine On

and eventually bypass the hostname mismatch caused by the container hostname which is not an fqdn and doesn’t match with the world-facing address,

Error during SSL Handshake with remote server


SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off


Error during SSL Handshake with remote server https://stackoverflow.com/questions/18872482/error-during-ssl-handshake-with-remote-server