June 28th, 2006, 04:01 PM
APACHE for Win32 with SSL support v 1.4
I wanted to be able to download documents from home at work without having to worry about them reading my files in transit.
APACHE for Win32 with SSL support v 1.4
Original document found at:
Version 1.2 (Up from 1.1 thanks to Mike Young)
Version 1.3 (TheHorse13)
Version 1.4 (Darius33)
This tutorial assumes that you know how to turn on a computer. Any existing apache configuration files will be overwritten during this tutorial. My advice is to backup and uninstall the old version.
If you see a command with quotes remove the outer-most set.
I always write like I'm talking to a kindergartener. I'm not demeaning you.
2. Needed Files
You will need the 2.2.2 apache .msi installer(Link #1) (mainly to add it as a service without any hassle. If you know what you are doing you can skip this step but I recommend it). Also you will need a version of apache that has the mod_ssl.so extension enabled (Link #2). And you need the windows binaries of openssl (Link #3). And last you need the configuration file for openssl to make certs (Link #4).
Links to files.
3. Installing apache
Run apache_2.2.2-win32-x86-no_ssl.msi set it to install into c:\apache don't worry about any of the other settings. Double click the apache monitor and check that apache is stopped. Then extract Apache_2.2.2-Openssl_0.9.8b-Win32.zip into the c:\apache directory overwriting everything. Move openssl.cnf to c:\apache\conf .
4. Setting Up OpenSSL
Extract Openssl-0.9.8b-Win32.zip to c:\openssl
Open the system control panel click the advanced tab. Click on the environment variables button at the bottom. On the window that pops up check to see if user variables has a path variable. If it doesn't click new under variable name type path and under variable name type c:\openssl. If it already exists then click edit and add c:\openssl to the end. Close the system windows.
To see if it is working open a command shell (windows-key+R type cmd and hit enter) and type openssl. You should get a response like "OpenSSL>". If not then there is an error somewhere. Type quit to exit openssl. Leave the command prompt open for the next step.
Note: I didn't have to copy libeay32.dll and ssleay32.dll to c:\windows\system32 (or c:\winnt\system32) like in the previous tutorial. If windows reports an error about missing either of these dlls juct copy them from c:\openssl to c:\windows\system32 or c:\apache\bin (windows looks in the directory that a program is called from first for a missing dll but by copying them to the system32 directory it is available for any program that requires these dlls).
5. Creating a certificate
Open a command prompt. Type "cd \apache\conf" to change to the configuration directory for apache.
Type "openssl req -config openssl.cnf -new -out server.csr"
I dont recommend changing the name to anything else as apache comes setup by default for this filename. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.com). The certificate belongs to this server name and browsers complain if the name doesn't match. If you dont have a domain name set it to whatever you want. Remember the PEM pass phrase for later!
Type "openssl rsa -in privkey.pem -out server.key"
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
Type "openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365"
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
6. Configuring Apache and mod_ssl
Open c:\apache\conf\httpd.conf and locate the LoadModule directives. the last line in this part is "#LoadModule ssl_module modules/mod_ssl.so" remove the # (comment character).
At the very bottom of the file is a line that says "#Include conf/extra/httpd-ssl.conf" remove the # from it too. Save it and exit.
Open httpd-ssl.conf file in the extras directory. Find the line that says "SSLMutex file:logs/ssl_mutex" its in the second page or so. Comment out that line by adding a # to the beginning of it. Add a line right below it that says "SSLMutex default"
7. Start it up!
Assuming that you followed all of these instructions you should now be able to start your server by left clicking on the apache monitor and selecting 2.2 and then start. The red square should shortly turn into a green triangle. If it doesn't you'll need to open another command shell to c:\apache\bin. Type "httpd" to start apache. It will give you a description of the error like:
Syntax error on line 108 of C:/Apache/conf/extra/httpd-ssl.conf:
SSLCertificateKeyFile: file 'C:/Apache/conf/server.key' does not exist or is empty
In this case you forgot to make your server key!
After fixing any errors resart apache through the apache monitor. Next open up your favorite browser and point it to https://127.0.0.1 . It should say "It works!".
8. Clean up.
Delete items one through three. They're not needed now. Also delete the .rnd file in C:\Apache\conf. If you want you can also delete server.csr and privkey.pem but I don't really think you should because it will create more work for you later when your cert expires.
9. Final notes.
If you are running anything that will be exposed to the internet you need to make sure that you are a)firewalled and b) Open port 443. Also, this server as configured will allow anyone to connect to it so you should enable some sort of authentication (see http://httpd.apache.org/docs/2.2/howto/auth.html and http://httpd.apache.org/docs/2.2/howto/access.html).
I'd like to thank TheHorse13 for writing the last version of this it helped me out immensely.