HOW TO CONFIGURE APACHE FOR MOD-SSL
		===================================

0. INTRODUCTION

   Installing mod_ssl alone is not enough to get it working. This module
   adds a lot of new directives to Apache, and it's very hard to write
   a configuration utility that would enable or disable the SSL functionality
   automatically.

   So, here's a description how to configure mod_ssl the old-fashioned
   way: manually.

1. CERTIFICATES

   First, you need to have a certificate for your server. A lot of general
   info about this can be found in the mod-ssl documentation which you
   should be able to access as:

	http://localhost/doc/libapache-mod-ssl-doc/html/

   To create a test certificate, you can enter the command (as root):

	# mod-ssl-makecert

   This will ask you a few questions, and then create a private key, a
   certificate and a certificate-request in /etc/apache/ssl.*/server.*

2. ADDING GLOBAL OPTIONS

   Now you should edit /etc/apache/httpd.conf. Look for the "LoadModule"
   statement, and add the following line at the end of the list:

	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

   You probably also want to enable the "setenvif" module. Locate it in
   the LoadModule list (it should already be present) and uncomment it.

   Now Find the "Listen" directive and add the following lines if not
   already present:

	<IfModule mod_ssl.c>
	Listen 80
	Listen 443
	</IfModule>

   This will make apache listen to port 443 in addition to the standard
   port 80. Https requests use port 443. Note that we surround the
   directives with <IfModule> .. </Ifmodule>, so that Apache will keep
   a valid configuration even if mod_ssl is ever removed.

   Now go to a place at the end of the configuration, just before the
   <VirtualHost> sections, and insert the configuration fragment from
   /usr/share/doc/libapache-mod-ssl-doc/mod-ssl.conf. This is the global
   configuration for mod_ssl.

3. ADDING PER-VHOST OPTIONS

   There are a lot of options that can be set for each virtual host.
   You need to add a _new_ virtualhost for each virtualhost you want to
   enable SSL on. It should be named as <VirtualHost host.domain.com:443>,
   and be a copy of the normal virtualhost, with the SSL options added.

   If you don't have a virtual host but just one default server, you
   should call this new virtualhost <VirtualHost _default_:443>.

   Note that name-based virtual hosting does _not_ work with SSL enabled
   vhosts, you need to have a separate IP alias for each SSL vhost.

   Normally, you'd just use the following options:

   <VirtualHost newvhost.domain.org:443>
   ... standard directives such as DocumentRoot, Logfile, ErrorLog here ...
   <IfModule mod_ssl.c>
   SSLEngine on
   SSLCertificateFile    /etc/apache/ssl.crt/server.crt
   SSLCertificateKeyFile /etc/apache/ssl.key/server.key
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   </IfModule>
   </VirtualHost>

   For all possible options, see the mod_ssl manual. There is a fully commented
   vhost example in /usr/share/doc/libapache-mod-ssl-doc/sample-vhost.conf

4. RELOAD APACHE

   Stop and start apache with /etc/init.d/apache stop;/etc/init.d/apache start.
   Using /etc/init.d/apache reload or restart will NOT work!
   If everything went well, you should be able to connect to a HTTP enabled
   host at https://your.web.server/.


	README.Debian for mod-ssl   1.00  26-Apr-1999  miquels@cistron.nl