Configure Apache to Support HTTPS

Introduction

This article is based on the assumption, you are using one of our TYPO3-on-AWS machines images in its default setup.

This document describes the steps required to configure Apache and the AWS Security Group ("firewall") to support encrypted communications between clients and your TYPO3-on-AWS server. HTTPS should be the standard today to protect sensitive data such as credit card details, all forms your users submit and access details to the frontend or backend of TYPO3.

A valid SSL certificate, digitally signed by an authority, may be required to avoid warning messages shown by the end-user's client (e.g. web browser). However, we use a self-signed SSL certificate and private key generated by the system as part of this article as an example.

Security Group

Log in at the AWS Management Console, select the region where your EC2 instance is located and go to EC2 ➜ Security Groups. Locate the Security Group used by the instance (note: you find the ID of the Security Group in the menu item "Instances").

Click Edit ➜ Add Rule and change "Custom TCP Rule" to "HTTPS" in the dropdown box under "Type". Leave the source IP range set as "Anywhere" for the time being. This allows everyone to access your server via HTTPS (you may want to limit the range to a specific network later).

Save your changes.

Configure Apache

Now log in at your EC2 instance via SSH as user "admin" and execute the following commands:

$ sudo -i

This switches from user "admin" to user "root". Then, install the package ssl-cert which is a simple wrapper for OpenSSL's certificate request utility:

$ apt install ssl-cert

This creates a self-signed certificate and key. You can always regenerated them manually with the following command if required:

$ make-ssl-cert generate-default-snakeoil --force-overwrite

Then check, if the Apache module mod_ssl is already loaded:

$ /usr/sbin/apache2ctl -M

A list with all loaded modules appears. If ssl_module (shared) is NOT listed, enable it by executing the following command:

$ a2enmod ssl

The system suggests to restart Apache, but we will make some further configuration changes before that. Open Apache's SSL configuration file with a text editor such as "vi" (you can use any editor of your choice of course):

$ vi /etc/apache2/sites-available/default-ssl.conf

And make the following three changes:

  • Change line <VirtualHost _default_:443> to <VirtualHost *:443>
  • Change line DocumentRoot /var/www/html to DocumentRoot /var/www/default/htdocs

As pointed out before, further configuration changes are possible (e.g. path/filename of the SSL certificate and key, log level, etc.), but not required as part of this documentation, see notes below.

Save the updated configuration file and enable the SSL site:

$ a2ensite default-ssl

Now it is time to restart the Apache web server:

$ systemctl restart apache2

Test Your Setup

Open a web browser on your local machine and try to access the server via SSL. You find the address of your server in the AWS Console under Instances - for example:

https://ec2-123-45-67-89.compute-1.amazonaws.com

Use https:// at the start of the URL. Your browser will show a warning, that the connection is untrusted, because the SSL certificate does not match the domain and is self-signed. That is of course true, but it proves, that the configuration changes you just made work in general. Well done.

Install A Valid SSL Certificate

The current setup provides an encrypted connection between clients and the server. However, it has two significant downsides for a production environment and both are related to the self-signed SSL certificate:

  1. The current SSL certificate does not match the domain name.
  2. The current SSL certificate is self-signed.

Therefore, you likely want to replace this certificate with a real one and assign a permanent domain name to your instance. Latter requires some DNS (domain name service) changes, which is not covered by this article.

In order to install a proper SSL certificate and its private SSL key (which we have assumed you already have purchased from a certificate authority), transfer these files to the server. Our recommendation is to create a new directory under /etc/ssl/ (for example example.com/) and store the SSL files into it:

$ mkdir /etc/ssl/example.com

Assuming, your SSL certificate file is example_com.cert and your SSL private key is example_com.key, you should see something similar to this:

$ ls -l /etc/ssl/example.com/
total 8
-rw-r--r-- 1 root root 1245 Apr 21 07:11 example_com.cert
-rw------- 1 root root 1894 Apr 21 07:11 example_com.key

Note that your private key must have very limited permissions. You can achieve this by executing the following command:

$ chmod 600 /etc/ssl/example.com/example_com.key

In the last step, adjust the following two path/filenames in Apache's SSL configuration file, save the file and restart Apache as before.

...
SSLCertificateFile /etc/ssl/example.com/example_com.cert
SSLCertificateKeyFile /etc/ssl/example.com/example_com.key
...
$ systemctl restart apache2

Further Resources