Many of our customers host SugarCRM on Apache on CentOS. We strongly recommend enabling HTTPS in any production environment and I’d like to share the steps to enable this.
In this blog we would be using a signed SSL certificate not a self-signed one but in theory the steps are rather similar.
If you are using a self-signed certificate you should know how to generate the certificate and the key.
You must install the mod_ssl module for Apache and enable it.
If you haven’t you can simply run this command to install it:
yum -y install mod_ssl openssl
Once the installation is done, the next step would be to enable SSL in httpd.conf.
When you install those 2 components earlier, it will automatically create a file called ssl.conf in /etc/httpd/conf.d/
This file contains the settings for the SSL and also the default virtualhost SSL site.
Personally I don’t like the virtualhost definition inside the ssl.conf so I moved them to httpd.conf or create a separate configuration file and name it vhost.conf or something along like that.
Don’t forget to setup the listener so that it listen to port 443. If you see #Listen 443 in ssl.conf, remove the pound sign.
Extract the certificate files and place it in /etc/pki/tls/private/
If there is no private folder then create one by running this:
Create a virtual host file which contains the following:
<VirtualHost SERVERIPADDRESSHERE_OR_A_WILDCARD:443> SSLEngine on SSLCertificateFile /etc/pki/tls/private/xxx.cert SSLCertificateKeyFile /etc/pki/tls/private/xxx.key <Directory "/var/www/html/YOURWEBSITEFOLDER"> AllowOverride All Order allow,deny Allow from all <Directory> DocumentRoot /var/www/html/YOURWEBSITEFOLDER servername yourwebsite.domainname.com LogLevel error </VirtuaLHost>
If you use a separate virtual host config file make sure you save the file under /etc/httpd/conf.d/ folder because the configuration will be loaded automatically.
If you saved the file elsewhere make sure you include that file in httpd.conf by doing the following:
You need to be precise with the DocumentRoot definiton in virtualhost file.
If you put the website folder name in the DocumentRoot then the way to access the site would be
But if you don’t include the website folder in the DocumentRoot definition then you have to access the site this way:
in most cases you want to do the former rather than the latter.
The Directory tag in the virtualhost configuration file is different from website to website, in this case I used an example from the SugarCRM website.
In SugarCRM I have to use AllowOverride All in order to create the .htaccess file. If you setup a SugarCRM server if you put the website folder name in DocumentRoot definition
make sure you update the RewriteBase rule.
open the .htaccess in SugarCRM root folder and change the RewriteBase from /yourwebsitefolder to just backslash (/)
Bounce apache to take the new changes
service httpd restart
Add port 443 to the firewall rule and reload the firewall service
firewall-cmd --zone=public --add-port=443/tcp --permanent
Check whether or not the port has been added to the iptables and check whether or not port 443 is listening
iptables-save | grep 443
netstat -plnt | grep ':443'
The only assumption in this blog is that you have a admin/root permission
That’s it for today I hope you find this blog post informative!