Setting up Apache 2.4 to use https only

With a free SSL certificate in hand from StartSSL we need to configure Apache to use the certificate and serve up all content using HTTPS. The examples below are for Apache 2.4.x. Older versions will require some slight adjustments.

Start by moving the necessary keys and certificates to the server. I use SFTP to do this sort of thing, transferring the contents of the folder I saved the files in when generating the certificate. Create a directory for the files like /etc/apache2/ssl/ on the server. Make note of what you called the directory, you’ll need that info later.

With the files in place it’s time to move on to configuring Apache. Apache needs some modules to deal with SSL and other security settings. Make sure that the ssl, rewrite, headers, and env modules are enabled in your Apache config. Restart Apache to get the new modules running.

I recommend using the Mozilla SSL Configuration Generator to generate a skeleton virtual host config file. You tell it what version of Apache you have and it gives you a block of text that will get you started. Add the copied text the default.conf file in Apache this will add the SSL virtual host to the default configuration of the web server. Yes, the file will have 2 virtual hosts in it, one listening at port 80 and one at port 443. That’s ok. Edit the pasted text to point to the files you uploaded to the server. Add the same path and directory information you have in the port 80 virtual host into the 443 virtual host. This assures that both servers are looking in the same spot for the same things. Save the file and restart Apache for it to take affect.

At this point you should be able to access the same content at either http:// or https://. The final step is to redirect all http:// traffic to https:// so only encrypted traffic is served. This requires editing the default.conf file one more time. This time you’ll make changes to the port 80 virtual host by commenting out all of the lines that follow the ServerName and ServerAdmin directives. Then add the line Redirct permanent / to the virtual host conf file and save the file. Restart Apache one more time. Now accessing http:// will redirect you right to https:// so you have only secure access to your site.