Domains - DNS - Apache - Certificate SSL

Wheter you are using your own DNS servers or if you are pointing your domain name to an IP address of a server, on the indicated port, usually port 80 and the IP address resolved from your domain name, a webserver needs to be ready.
Though there are different webservers on the market, some open source some licensed and need to be purchased, a good and fairly easy to configure webserver is for instance Apache. Or well, easy to configure, lets say that the basic setup is easy to configure but can get (very) complicated when using virtual servers and mod_rewrite. In this example, to serve the web for the FQDN www.alterlinks.nl, a basic configuration of an Apache server will do well.

First, the setup was such that www.alterlinks.nl resolved to 212.180.60.244. Then the next thing to do is to make sure that this IP address does indeed answer :

C:\>ping 212.180.60.244

Envoi d'une requête 'ping' sur 212.180.60.244 avec 32 octets de données :

Réponse de 212.180.60.244 : octets=32 temps=7 ms TTL=64
Réponse de 212.180.60.244 : octets=32 temps<1ms TTL=64
Réponse de 212.180.60.244 : octets=32 temps<1ms TTL=64
Réponse de 212.180.60.244 : octets=32 temps<1ms TTL=64

Statistiques Ping pour 212.180.60.244:
Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
Minimum = 0ms, Maximum = 7ms, Moyenne = 1ms

If the IP address does not answer, it is likely not setup or not correctly added to the physical server. A server can be multi homed and answer to several IP address.

In this case, the physical server has been added a virtual network interface with the address 212.180.60.244 :

[root@shop sbin]# ./ifconfig -a
eth0   Link encap:Ethernet HWaddr 00:19:66:99:6B:17
      inet addr:212.180.60.170 Bcast:212.180.60.255 Mask:255.255.255.128
      inet6 addr: fe80::219:66ff:fe99:6b17/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:633371228 errors:0 dropped:535 overruns:0 frame:0
      TX packets:1349334201 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:2779387665 (2.5 GiB) TX bytes:1361915458 (1.2 GiB)
      Interrupt:201 Base address:0x4800

...
...

eth0:26   Link encap:Ethernet HWaddr 00:19:66:99:6B:17
      inet addr:212.180.60.244 Bcast:212.180.60.255 Mask:255.255.255.128
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      Interrupt:201 Base address:0x4800



Webservers, like Apache, can be configured to support multiple domains, for instance by using Virtual Hosts. In this case, such Virtual Host on IP address seems a good choice. After installing Apache with the usual method of ./configure, make, make install, now all we have to do is add a new Virtual Host to its configuration.

./configure --enable-module=so --enable-module=vhost_alias --enable-module=rewrite --with-apache=../apache_1.3.41 --with-ssl=../openssl-0.9.8k --prefix=/usr/local/seven/apache

- make
- make certificate TYPE=existing CRT=/path/to/certificate/domain.certificate.crt KEY=/path/to/key/file/keyfile.key
- make install

At this point, note that the option --with-ssl has been used, which will make it easy to install and add SSL certificates.


Once Apache has been installed, you probably want to change the BindAddress * parameter to avoid Apache putting itself to listen on all IP addresses of the server. Instead, use the Listen parameter to tell Apache where (and for who) it should bind. In this case, adding www.alterlinks.nl to Apache's httpd.conf as a IP based Virtual Host could look like this :

Listen 212.180.60.244:80
Listen 212.180.60.244:443
<IfDefine SSL>
<VirtualHost 212.180.60.244:443>
DocumentRoot /var/www/domains/alterlinks.nl
ServerName www.alterlinks.nl      <----     corresponds to the Common Name (CN) of the SSL certificate
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/certificate/domain.certificate.crt
SSLCertificateKeyFile /path/to/key/file/keyfile.key
SSLCertificateChainFile /ssl/gd_intermediate_bundle.crt
SetEnvIf User-Agent ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
<Directory "/var/www/domains/alterlinks.nl">
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfDefine>
<VirtualHost 212.180.60.244:80>
DocumentRoot /var/www/domains/alterlinks.nl
ServerName www.alterlinks.nl
<Directory "/var/www/domains/alterlinks.nl">
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
</Directory>
</VirtualHost>



Note : it would also be possible to use name based Virtual Hosts, but in that case the DNS server configuration would have been different too, of course


And there you have it; after restarting Apache it will now be listening at 212.180.60.244:80 and when an user Lamba connects with his webbrowser to http://www.alterlinks.nl he will see the index page of the directory /var/www/domains/alterlinks.nl/.

But, if the user Lamba would have connected to https://www.alterlinks.nl/p3do/koop-on-line.php, some additional steps would have been taken, in particular a SSL handshake to secure the session, using the installed SSL certificate.




Valid HTML 4.01 Transitional