Setting up a secure SSL subdomain on Apache2

 
Published on 2013-02-19 by John Collins.

If you have part of your application that you would like to secure, you can use SSL encryption to encrypt the network connections between clients and your server. In this example, I will be hosting my main website on port 80, which will support unencrypted connections, and my mail sub-domain on port 443, which will be encrypted. Therefore the users of the mail system can be assured that their passwords and private emails will be sent through the Internet in a secure way.

Note that is this tutorial, I am using CentOS so the commands required might be slightly different on other platforms.

Using OpenSSL to generate a key and a cert

Begin by intalling mod_ssl for Apache2 and OpenSSL:

yum install mod_ssl
yum install openssl

Now using OpenSSL, generate a secure private key (substitute in your own hostname here):

openssl genrsa -out hostname.key 1024

Now generate a self-signed cert, using the private key we just created:

openssl req -new -key hostname.key -x509 -out hostname.crt

You will now need to move these files into the directories used my mod_ssl:

mv hostname.crt /etc/pki/tls/certs/hostname.crt
mv hostname.key /etc/pki/tls/private/hostname.key

Configure mod_ssl to use these files:

nano /etc/httpd/conf.d/ssl.conf

...and change these settings to the following:

SSLCertificateFile /etc/pki/tls/certs/hostname.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

Configure Apache2 to serve a sub-domain on port 443 only

To achieve this, we will set up a new virtual host declaration that will point to the foot folder where our mail application is installed. The user will access this using the mail.hostname.com sub-domain in their browser. If the user tries to access this sub-domain on HTTP (port 80), they will be re-directed to HTTPS (port 443) using mod_rewrite. Here is the new configuration required:

nano /etc/httpd/conf/httpd.conf

Add:

NameVirtualHost *:443
 
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/hostname.crt
    SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
    <Directory /var/www/mailapp>
            AllowOverride All
    </Directory>
    DocumentRoot /var/www/mailapp
    ServerName mail.hostname.com
</VirtualHost>

And to force all port 80 traffic on this sub-domain to redirect to port 443, add:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(mail)\. [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Updated 2023 : note that the above post was originally published in 2013, but is left here for archival purposes. I have fixed a few broken links.