logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Configuring local Apache https website in Windows

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Wed 29 Aug '18 22:25    Post subject: Configuring local Apache https website in Windows Reply with quote

I have implemented (see partial config file below) two virtual hosts on my local development windows computer:

"localhost", which corresponds to folder C:/Web, and is http. It contains many websites.
"www.nsrusa.local", which corresponds to folder C:/Web/nsr, and is self-signed https. It is one website.
The HOSTS file contains the line "127.0.0.1 www.nsrusa.local".

There are two major problems:

1. Browsing to https://www.nsrusa.local/ brings up the Firefox "Your connection is not secure" message (verified by using the Firefox Network tool). A minor problem is that it resolves to C:\Web instead of the correct C:\Web\nsr.

2. Browsing to http://localhost/nsr/ should fail (because of SSLRequireSSL), but succeeds.

# Config file excerpt:
# Virtual Host

# localhost = C:/Web
<VirtualHost *:80>
DocumentRoot "c:/Web"
ServerName localhost
<Directory "c:/Web">
AllowOverride All
Options Indexes MultiViews FollowSymLinks
#Require all granted
</Directory>
</VirtualHost>

# www.nsrusa.local = C:/Web/nsr
<VirtualHost *:443>
DocumentRoot "c:/Web/nsr"
ServerName www.nsrusa.local
SSLEngine on
SSLCertificateFile "C:/WAMP/apache2/conf/nsrlocal.crt"
SSLCertificateKeyFile "C:/WAMP/apache2/conf/nsrlocal.key"
<Directory "c:/Web/nsr">
SSLRequireSSL
AllowOverride All
Options Indexes MultiViews FollowSymLinks
#Require all granted
</Directory>
</VirtualHost>
[/code][/list]
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Thu 30 Aug '18 3:08    Post subject: [Solved] Reply with quote

I solved these problems by:

1. Downloading the correct version of OpenSSL light 32-bit for Windows from https://slproweb.com/products/Win32OpenSSL.html and installing it.

2. Following this procedure to generate a security certificate:

Add to system environment variable "Path": C:\Program Files (x86)\OpenSSL\bin
Set system environment variable "OPENSSL_CONF" to C:\Program Files (x86)\OpenSSL\bin\openssl.cfg

Executing these commands in an admin command prompt window:

Code:
cd C:\WAMP\apache2\conf
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout nsrlocal.key -out nsrlocal.crt


(When prompted, I provided for Server FQDN: nsrusa.local)
(This will require me to generate a new certificate once a year, which was my choice.)

3. I added the line "127.0.0.1 nsrusa.local". to the HOSTS file, which is the most local of the DNS providers.

4. I added the following to the Apache config file (httpd.conf):

Code:
# Virtual Hosts
# see http://httpd.apache.org/docs/current/vhosts/examples.html

# localhost = C:/Web
<VirtualHost *:80>
   DocumentRoot "c:/Web"
   ServerName localhost
   <Directory "c:/Web">
      AllowOverride All
      Options Indexes MultiViews FollowSymLinks
      #Require all granted
   </Directory>
   <Directory "c:/Web/nsr">
      Require all denied
   </Directory>
</VirtualHost>

# nsrusa.local = C:/Web/nsr
<VirtualHost *:443>
   DocumentRoot "c:/Web/nsr"
   ServerName nsrusa.local
   SSLEngine on
   SSLCertificateFile    "C:/WAMP/apache2/conf/nsrlocal.crt"
   SSLCertificateKeyFile "C:/WAMP/apache2/conf/nsrlocal.key"
   <Directory "c:/Web/nsr">
      SSLRequireSSL
      AllowOverride All
      Options Indexes MultiViews FollowSymLinks
      #Require all granted
   </Directory>
</VirtualHost>


5. You can see in the first host, the second Directory directive makes sure that I cannot accidentally access by directory "localhost/nsr". This is because that would be an HTTP access, which I want to prevent.

6. In a production environment I would also add RewriteCond and RewriteRule directives to redirect HTTP accesses to HTTPS accesses.

These look like this:

Code:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^(www\.)?nsrusa\.org
RewriteRule ^(.*)$ https://www.nsrusa.org/$1 [R,L]


This example is easy to change for your circumstances.

I hope this posting helps someone. I wish someone had posted something like this already.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Thu 30 Aug '18 15:32    Post subject: Reply with quote

Why don't you use a real certificate like from lets encrypt?
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Thu 30 Aug '18 15:54    Post subject: Let's Encrypt Reply with quote

Good question. Here are my reasons:

1. This is a development machine. I don't mind telling Firefox to accept the certificate.

2. Let's Encrypt does not issue certificates the way the OpenSSL command does. It provides software that automatically installs and renews certificates. It is intended for production machines.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2707
Location: Hilversum, NL, EU

PostPosted: Fri 31 Aug '18 14:23    Post subject: Reply with quote

See : https://letsencrypt.org/docs/certificates-for-localhost/
Back to top
DavidSpector



Joined: 07 Oct 2017
Posts: 15
Location: Maine, USA

PostPosted: Fri 31 Aug '18 16:17    Post subject: Reply with quote

Steffen, Thanks, I had forgotten this page. Good stuff. In particular, it recommends creating a self-signed Certificate Authority on the local computer, then using that to create certificates for specific local or application websites. This prevents Man In The Middle attacks if a malicious user can gain local access.

There are already good pages on the Web explaining the details of using OpenSSL.exe (Windows) to generate first the CA cert, then the domain cert.

However, it is still true that Let's Encrypt works with server management tools to make it easy to move the whole Web to HTTPS security. Let's Encrypt has no service to generate certificates manually for local use, nor do they encourage this.

That having been said, it is also possible (I have done it) to copy the Let's Encrypt certificate from an existing server (in my case managed and automatically renewed every few months by WHM/cPanel) down to a local computer, and then enter the domain name in the HOSTS file. Then, when you enter the domain name in a local browser (https://www.example.com), you get the local website instead of the remote website. You get the same green-icon HTTPS service on the local as on the remote. But then you have to comment out the HOSTS entry if you want to see how your remote site works.

The technique I described here allows concurrent display of both remote and local websites, since it uses different domain names.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1