I recently fixed a whole bunch of server configuration bugs that were causing problems with subdomains, and while I was at it, I got SSL/TLS working correctly. You can now use https://www.minousoft.com/ to encrypt your connection with up to 256 bit AES. The certificate is self-signed, however, and most browsers will display a security warning about this. You’ll need to specifically allow this certificate in order to use a secure connection.
I wish browsers weren’t so panicky about self-signed certificates – it makes it more difficult to develop secure applications. People make unencrypted HTTP connections every day, which has no security or authenticity at all. Compare that to a self-signed certificate, which offers encryption, but has no guaranteed authenticity. Perhaps browsers should display an annoying warning about every single HTTP connection instead.
I’m posting a few things that I learned in the hope that it’ll help someone minimize their configuration headaches. Most of the lines below can be used in .htaccess files if you need to use them, but remember to double-check that in the official documentation. I’m assuming that you’ve already set up mod_ssl on your Apache server and generated encryption keys.
When setting up your VirtualHost sites in Apache, you need to define everything with asterisks (as far as I know.) You can use the VirtualHost file below to see how this is done. Note that you can select a different set of SSL certificates for each VirtualHost.
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot "/www-directory/somesubdomain" ServerName somesubdomain.example.com ServerAlias somesubdomain.example.com <Directory "/www-directory/somesubdomain"> allow from all Options +Indexes </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot "/www-directory/somesubdomain" ServerName somesubdomain.example.com ServerAlias somesubdomain.example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key <Directory "/www-directory/somesubdomain"> allow from all Options +Indexes </Directory> </VirtualHost> <VirtualHost *:80> DocumentRoot "/www-directory/wildcard" ServerName wildcard.example.com ServerAlias *.example.com <Directory "/www-directory/wildcard"> allow from all Options +Indexes </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot "/www-directory/wildcard" ServerName wildcard.example.com ServerAlias *.example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key <Directory "/www-directory/wildcard"> allow from all Options +Indexes </Directory> </VirtualHost>
SSL v2 is not considered secure, so you will usually want to disable this in one of your configuration files (I just put it in apache2.conf because every VirtualHost needs it anyway):
SSLProtocol all -SSLv2
Apache with mod_ssl has no preferred cipher suite order by default (at least in my experience.) The line below can be added to get Apache to prefer stronger encryption first. However, using this option can seriously slow down your server in some cases. The strongest cipher suite, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, is very resource-intensive compared to the comparatively weaker ciphers. If your server isn’t very powerful, as is usually the case when using shared hosting, switching your site to high-grade encryption can make your site very slow. The more content you have on your page, the more CPU time is required to encrypt that data.
SSLHonorCipherOrder On
If you are running a site that requires high security, you can add the line below to refuse clients that use unencrypted connections. This can be enabled per-directory and in .htaccess files. This should not be enabled for normal sites, because it blocks people who are using browsers and devices that don’t support encryption or have it disabled (old cell phones, microcontroller devices, PCs that don’t have any free RAM/CPU time.) It does increase the security of connections, however, so it is useful for specific directories and forms that you are paranoid about, i.e. credit card transactions.
SSLRequireSSL
If you want to test your SSL settings, there are quite a few Firefox plugins that can help. One of them is CipherFox – it displays the current encryption algorithm and key length in the lower right-hand corner. You can also easily test and compare the SSL configurations of different sites at Qualys SSL Labs.
For some reason, going to https://minousoft.com/ was redirecting to http://www.minousoft.com/, which is very undesirable behavior. I fixed this with the following snippet, which can be added to your .htaccess file to rewrite https://example.com/ to https://www.example.com/ (no modifications should be required):
# https://example.com -> https://www.example.com/
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
February 11th, 2011 | 
Written by 
Category: Uncategorized |
Recent Comments