Apache+SSL, PHP, and MySQL

General Information

I’m sure many of you have been wondering how people host secure sites using Secure Sockets Layer (SSL). nike air max 97 This guide will show you how to set up a web server with SSL, PHP, and MySQL support.


  • In order for public access to your website, you must have a valid domain name.
  • A text editor (for this guide we will use Nano)
  • Get a PHP web hosting


Section A — Apache+mod_ssl

First thing we need to do is install the Apache web server. Christian Louboutin Pas Cher Currently there are two main versions available: 1.3.x and 2.x. bottes ugg I will be teaching from the 1.3x branch, but many of the steps are the same for 2.x. asics gel lyte 3 Louboutin Pas Cher I will also make notes for those of you who choose to use the 2.x branch.

 # cd /usr/ports/www/apache13-modssl # make install distclean 

Apache now gets started on system boot from rc.conf so let’s add the respective entry:

 # echo 'apache_enable="YES"' >> /etc/rc.conf # echo 'apache_flags="-DSSL"' >> /etc/rc.conf 

Note: For Apache2 users: You only need to install the apache2 port, but then you have to manually create the directories for the SSL Certificate and Key.
 # cd /usr/ports/www/apache2 # make install distclean # echo 'apache2_enable="YES"' >> /etc/rc.conf # echo 'apache2_flags="-DSSL"' >> /etc/rc.conf # mkdir /usr/local/etc/apache2/ssl.key # mkdir /usr/local/etc/apache2/ssl.crt # chmod 0700 /usr/local/etc/apache2/ssl.key # chmod 0700 /usr/local/etc/apache2/ssl.crt 

Section B — MySQL

 # cd /usr/ports/databases/mysql41-server # make install WITH_OPENSSL=yes distclean # echo 'mysql_enable="YES"' >> /etc/rc.conf 

Take a break while it downloads, compiles, and installs. bottes timberland pas cher It’ll take about 45 minutes on a K6-2 350MHz.

Section C — PHP

 # cd /usr/ports/lang/php4 # make config 

You will be prompted to add module support. nike internationalist chaussure timberland femme At this time select the Apache support.

 # make install distclean # cd /usr/ports/lang/php4-extensions # make install distclean 

Now, when you get to the PHP configuration screen, you just need to check the OpenSSL box and leave the rest of the default values alone, unless you plan on installing other applications, such as the IMP Webmail, that require other PHP modules. chaussure asics nike dunk Time to take another break.

PHP should be installed by now. At the end of the installation, you will need to edit Apache’s configuration file to add two lines after all the “LoadModule” lines for PHP support.

 # nano -w /usr/local/etc/apache/httpd.conf AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps 


Section A — Create Certificate

It is now time to create your own certificate using the openssl utility. Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. ugg australia adidas pas cher So, if your server is listening on one IP address, you can only have one certificate for the server. timberland pas cher adidas pas cher All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based — not name-based. This is something to consider when creating your certificate.

Change to any directory you would like to save your certficate in. ugg bailey bow I chose root’s home directory. We will then copy the necessary files to the correct directory later. new balance This way we have a back up in case something happens.

 # cd ~ # openssl genrsa -des3 -out server.key 1024 

You will be prompted to enter a password for this key. Remember it because we will need it later. Now we need to make a Certificate Signing Request (CSR) from the key we just generated.

 # openssl req -new -key server.key -out server.csr 

Enter your password you had used as this is where you get to enter all the fun information about the certificate, like your name and Fully Qualified Domain Name (FQDN). nike air max 2016 soldes Make sure you enter your FQDN for the “Common Name” portion. For example, if the certificate is for https://webmail.domain.tld/, then your CommonName should be webmail.domain.tld.

Alright, your certificate is ready to be signed. adidas adidas pas cher The following steps are to self-sign the certificate, but you could pay money and have it signed by Verisign or Thawte.

 # openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt 

Ok, your certificate is signed and valid for 365 days, which you could have changed if you wanted. basket new balance ugg pour homme pas cher adidas gazelle pas cher We now need to copy the files to the appropriate directory for Apache to use them.

 # cp ~/server.key /usr/local/etc/apache/ssl.key/ # cp ~/server.crt /usr/local/etc/apache/ssl.crt/ 

If you want to read more about SSL Certificates, you can read the FAQs at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#aboutcerts.

Note: Apache2 users: The correct permissions must be set.
 # chmod 0400 /usr/local/etc/apache2/ssl.key/server.key # chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt 

Section B — Configure VirtualHosts

VirtualHosts are neat because they allow you to host many domains on the same server and the same IP address. timberland chaussure For this example, we will make three VirtualHost entries — one for http and two for https (SSL).

This section will be modifying /usr/local/etc/apache/httpd.conf so you can pull that up in your favorite editor now. ffxiv Items The normal VirtualHosts can be placed at the beginning of the file for easy access and should be set up like this:

 ServerName domain.tld NameVirtualHost  ServerName domain.tld ServerAlias www.domain.tld ServerAdmin admin@domain.tld DocumentRoot /path/to/website/files  

Now at the bottom of httpd.conf, you should see a whole bunch of lines relating to SSL. Chaussures Adidas Insert the following line just before the default VirtualHost for SSL like this:


NameVirtualHost tells Apache that there are several virtual hosts under the same IP. nike air max 2017 So, at the bottom of httpd.conf you will want to put your VirtualHosts just before .

  ServerName domain.tld ServerAlias www.domain.tld ServerAdmin admin@domain.tld DocumentRoot /path/to/website/files SSLEngine on SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key  

Now, if you had a server listening on another IP address, you could set up another certificate for that IP address to use. buy bns gold asics soldes Then, your second VirtualHost could look like this:

  ServerName domain2.tld ServerAlias www.domain2.tld ServerAdmin admin@domain2.tld DocumentRoot /path/to/website/files SSLEngine on SSLCertificateFile /usr/local/etc/apache/ssl.crt/server2.crt SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server2.key  

If you notice, SSLCertificateFile and SSLCertificateKeyFile are only paths to the certificate and key. Just remember that you would have to use IP-based VirtualHosts, like we did, and not name-based.

Note: Apache2 users: All of your SSL configuration is in a separate file at /usr/local/etc/apache2/ssl.conf so edit that for your SSL-aware VirtualHosts.

Section C — Start Services

Your server is now ready to start MySQL and Apache with SSL.

 # /usr/local/etc/rc.d/mysql-server.sh start # /usr/local/sbin/apachectl startssl 

When you start apache with ssl, you will be prompted to enter that password you were supposed to remember. asics gel lyte 3 The reason for entering it everytime apache starts is because the RSA private key is stored in encrypted format. nike air pegasus You can remove the encryption to eliminate the password prompt if you would like, but it’s not recommended for security reasons. asics tiger If you removed the encryption and somebody was able to control your box, they could take your certificate and impersonate you. But, if you are annoyed by the password prompt and feel confident that your server is secure, these are the steps to remove the encryption:

 # cd /usr/local/etc/apache/ssl.key # cp server.key server.key.orig # openssl rsa -in server.key.orig -out server.key 

Point your favorite browser to https://domain.tld and you should have a 128-bit secure connection. nike air huarache soldes That’s all there is to setting up a standard web server with SSL support.

Speak Your Mind