Apache’s TLS/SSL configuration is less about enabling HTTPS and more about making it the only way clients can talk to your server.
Let’s say you’ve got a basic Apache setup serving content on port 80. To enable HTTPS, you need to:
-
Obtain an SSL/TLS Certificate: This is your digital ID. You can get one from a Certificate Authority (CA) like Let’s Encrypt (free, automated), DigiCert, or Comodo. For this example, we’ll assume you have a certificate and its corresponding private key. Let’s say they are
your_domain.crtandyour_domain.keyrespectively, located in/etc/ssl/certs/and/etc/ssl/private/. -
Enable the SSL Module: Apache often ships with the
mod_sslmodule disabled. You need to turn it on.sudo a2enmod ssl sudo systemctl restart apache2This command tells Apache to load the SSL module and then reloads its configuration to pick it up.
-
Configure a Virtual Host for HTTPS: You’ll create a new virtual host configuration file, or modify an existing one, to listen on port 443 and use your SSL certificate. Create a new file, e.g.,
/etc/apache2/sites-available/your_domain-ssl.conf:<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@your_domain.com ServerName your_domain.com ServerAlias www.your_domain.com DocumentRoot /var/www/your_domain ErrorLog ${APACHE_LOG_DIR}/your_domain-error.log CustomLog ${APACHE_LOG_DIR}/your_domain-access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/your_domain.crt SSLCertificateKeyFile /etc/ssl/private/your_domain.key # Optional: HSTS (HTTP Strict Transport Security) Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Optional: TLS Protocol and Cipher Suite configuration for security SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /var/www/your_domain/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>Then, enable this new site configuration:
sudo a2ensite your_domain-ssl.conf sudo systemctl reload apache2 -
Redirect HTTP to HTTPS (Crucial): To ensure all traffic uses HTTPS, you need to redirect requests coming to port 80 to port 443. You can do this by modifying your original HTTP virtual host file (
/etc/apache2/sites-available/your_domain.conf):<VirtualHost *:80> ServerName your_domain.com ServerAlias www.your_domain.com Redirect permanent / https://your_domain.com/ </VirtualHost>After saving this, reload Apache again:
sudo systemctl reload apache2
Now, when a browser requests http://your_domain.com, Apache will respond with a 301 Permanent Redirect to https://your_domain.com. The browser will then automatically attempt to connect using HTTPS on port 443.
The SSLEngine on directive is the core switch that tells Apache to start handling SSL/TLS connections for this virtual host. SSLCertificateFile points to your public certificate, and SSLCertificateKeyFile points to your private key. The browser uses the public certificate to verify your server’s identity and then uses the private key (which is kept secret on the server) to establish an encrypted connection. The SSLProtocol and SSLCipherSuite directives are critical for modern security, disabling older, vulnerable protocols like SSLv3 and TLSv1.0/1.1, and preferring strong, modern cipher suites for encryption.
You might then encounter issues with mixed content warnings if your HTTPS pages try to load resources (images, scripts, CSS) over HTTP.