I just set up a new Icinga 2 monitoring environment using zones and all goodies and while it may be a trivial thing to set it up to Apache with mod_ssl it always has the same overhead effort to browse thru. So better write it down for myself and you as a shortcut.
This short guide shows how to make Icinga Web 2 work with Apache using SSL encryption and redirecting users from http to https. I am using CentOS 7 but this should go straight to Red Hat 7 and with a little effort to other distros too.
Install mod_ssl and openssl.
yum install mod_ssl openssl
Remove the ssl.conf as we will set it all up to icingaweb conf file. Better keep custom stuff in one place.
rm /etc/httpd/conf.d/ssl.conf
Set up certificates to their respective locations under /etc/pki.
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:80>
ServerName icinga.mydomain.com
Redirect permanent / https://icinga.mydomain.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName icinga.mydomain.com
DocumentRoot "/var/www/html"
Alias /icingaweb2 "/usr/share/icingaweb2/public"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/yourcert.crt
SSLCertificateKeyFile /etc/pki/tls/private/yourkey.key
SSLCACertificateFile /etc/pki/tls/certs/yourca.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<IfVersion < 2.4>
# Forward PHP requests to FPM
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<LocationMatch "^/icingaweb2/(.*\.php)$">
ProxyPassMatch "fcgi://127.0.0.1:9000/usr/share/icingaweb2/public/$1"
</LocationMatch>
</IfVersion>
<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride None
DirectoryIndex index.php
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAll>
Require all granted
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order allow,deny
Allow from all
</IfModule>
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
EnableSendfile Off
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule !mod_rewrite.c>
DirectoryIndex error_norewrite.html
ErrorDocument 404 /icingaweb2/error_norewrite.html
</IfModule>
<IfVersion >= 2.4>
# Forward PHP requests to FPM
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
ErrorDocument 503 /icingaweb2/error_unavailable.html
</FilesMatch>
</IfVersion>
</Directory>
</VirtualHost>
Check config, restart Apache and test with your browser https://icinga.yourcomain.com/icingaweb2
apachectl configtest apachectl restart
All comments and corrections are welcome.