published
priority 15
35 min. 55 XP.
Apache VirtualHosts + SSL. Serving WWW Content and WWW SSL
Three NCAE services score against your web server: WWW Port 80 (is HTTP alive), WWW Content (does the admin login work), WWW SSL (is HTTPS + valid cert up). This lesson covers Apache2's module + sites-enabled model, how VirtualHosts route requests, and how to regenerate a self-signed cert fast.
DCWF roles:
IT-451 System Administrator
SE-461 Systems Security Analyst
CS-622 Secure Software Assessor
Services:
WWW Port 80WWW ContentWWW SSL
Objectives
- Locate Apache config: /etc/apache2/ on Debian, /etc/httpd/ on RHEL
- Distinguish modules (sites-enabled, mods-enabled, conf-enabled) from sites (VirtualHosts)
- Enable/disable a module with `a2enmod` / `a2dismod`
- Enable/disable a site with `a2ensite` / `a2dissite`
- Read a VirtualHost block (DocumentRoot, ServerName, SSLCertificateFile)
- Regenerate a self-signed cert and restart Apache in under 1 minute
- Read Apache error + access logs
Quick reference
| Command | Purpose |
|---|---|
| apachectl -V | Show Apache build info and compiled modules |
| apachectl -S | Dump VirtualHost routing table (settles most 'which vhost wins' arguments) |
| apachectl configtest | Syntax check (or apache2ctl -t) |
| systemctl reload apache2 | Pick up config changes without dropping connections |
| systemctl restart apache2 | Hard restart (drops all connections) |
| a2enmod ssl | Enable a module |
| a2ensite default-ssl | Enable a site |
| tail -f /var/log/apache2/error.log | Real-time error log |
| tail -f /var/log/apache2/access.log | Real-time access log |
| openssl x509 -in /etc/ssl/certs/server.crt -noout -dates -subject | Inspect cert |
| curl -vk https://localhost/ 2>&1 | grep 'subject\|issuer' | What cert is Apache serving right now |
Common pitfalls
- Editing /etc/apache2/apache2.conf instead of the site in sites-enabled. changes may be overridden
- `apachectl -S` shows that your VirtualHost isn't being selected. wrong ServerName or wrong port in `<VirtualHost *:PORT>`
- Cert regenerated but Apache still serves old. forgot `systemctl restart apache2`
- Cert file permissions: 644 on .crt (world-readable OK), 600 on .key (never world-readable)
- NameVirtualHost directive matters on Apache < 2.4. less of an issue on modern installs
- Default virtual host catches unexpected hostnames. make sure the competition hostname has its own VHost
How it works (walkthrough)
# A minimal SSL VirtualHost
# /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName team10.ncaecybergames.org
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule>
# Regenerate a self-signed cert with correct CN + SAN (60-second fix):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/server.key \
-out /etc/ssl/certs/server.crt \
-subj "/CN=team10.ncaecybergames.org" \
-addext "subjectAltName=DNS:team10.ncaecybergames.org"
chmod 600 /etc/ssl/private/server.key
chmod 644 /etc/ssl/certs/server.crt
systemctl restart apache2
Skill drills
-
1. Debian command to enable an Apache site?a2ensite <site>
-
2. Apache command to dump its routing table?apachectl -S
-
3. What's the permission mode for an SSL private key file?600 (owner read/write only)
-
4. What Apache directive sets the CN-matching name for a vhost?ServerName
-
5. OpenSSL command to generate a self-signed cert with a specific CN?openssl req -x509 -subj '/CN=<name>' .
-
6. What module handles HTTPS in Apache?mod_ssl