A
Arun's Blog
← Back to all posts

Securing Your Web Server: Harnessing the Power of Apache on Windows with SSL

WebserverWindowsSecurity
TL;DR

Install Apache on Windows using PowerShell, configure it as a service, then enable HTTPS by extracting certificates from a PFX file using OpenSSL and configuring mod_ssl in Apache's httpd.conf and httpd-ssl.conf files.

Introduction

Apache is one of the most popular web servers available today. Originally designed for use on Unix-based systems, Apache can now be installed on a variety of platforms, including Windows. While many users may assume that Apache is only suitable for Linux or Unix environments, there maybe reasons and benefits to installing Apache on a Windows machine.

In this blog post, we'll explore how to run Apache on a Windows system. Whether you're a developer, a system administrator, or simply looking to host a website on your Windows PC, understanding the steps of Apache installation and configuration on a Windows Server can help you make an informed decision about whether it's the right choice for your needs. So, let's dive in and take a closer look at Apache on Windows.

Workflow

Download and Extract Apache

Please note all commands are done in PowerShell.

  • Download Apache
    • start-bitstransfer https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.56-win64-VS17.zip
  • Extract zip file
    • expand-archive httpd-2.4.56-win64-VS17.zip
  • Copy Apache directory to your desired location
    • copy-item -path ".\httpd-2.4.56-win64-VS17\Apache24" -Destination "C:\Apache24" -recurse
Note

Apache from ApacheLounge requires the Visual C++ Redistributable for Visual Studio to be installed. Download and install the appropriate version (VS17 = Visual Studio 2022) if Apache fails to start.

Install and Run Apache on Port 80

  • Move to the bin directory of Apache
    • cd c:\apache24\bin
  • Install Apache as a service with your desired service name (e.g. arunapache)
    • .\httpd.exe -k install -n "arunapache"
  • Confirm service has been created
    • get-service arunapache
  • From another machine, confirm you can browse to the IP address of the server hosting Apache. You should see the 'It works' page
Important

Ensure Windows Firewall allows inbound connections on port 80 (HTTP) and port 443 (HTTPS). Create firewall rules if the default Apache test page is not accessible from other machines.

Configure and Run Apache on Port 443

Please note I will not go into how to obtain a pfx file, nor installation of OpenSSL.

Export Files from PFX

  • Create a key to use to export only the private key. In the example below i have a pfx file called arunssl.pfx and i am exporting the private key (myexport.key). You will be asked for the password for the pfx file and then you will be asked to create your own passphrase (twice) for the myexport.key file
    • openssl pkcs12 -in arunssl.pfx -cacerts -out myexport.key
  • Using the export key (myexport.key), you will export the decrypted private key (server.key). You will be asked to input your passphrase you stated when exporting the myexport.key
    • openssl rsa -in myexport.key -out server.key
  • Export only the certificate file (server.crt) from the pfx file (arunssl.pfx). You will be asked for the password for the pfx file
    • openssl pkcs12 -in arun.pfx -clcerts -nokeys -out server.crt
  • Export the chain of certificates under one file (server-ca.crt) from the pfx file (arunssl.pfx) without including the private key. You will be asked for the password for the pfx file
    • openssl pkcs12 -in arunssl.pfx -chain -nokeys -out server-ca.crt
Pro Tip

Keep your private key (server.key) secure with restricted file permissions. Never commit private keys to version control or share them over insecure channels.

Copy Files to Apache Root

  • Copy the three files created (server.key, server.crt, and server-ca.crt) to the Apache Server root directory (C:\Apache24)
    • copy server.key, server.crt, server-ca.crt c:\Apache24\

Configure Apache for HTTPS

  • Open httpd.conf from the conf directory
    • notepad C:\Apache24\conf\httpd.conf
  • Find and uncomment the following lines (remove the hash mark, #)
    • LoadModule ssl_module modules/mod_ssl.so
    • Include conf/extra/httpd-ssl.conf
  • If you named any of the exported files to anything else, you will have to modify the httpd-ssl.conf file located in C:\Apache24\conf\extra\httpd-ssl.conf file. The lines you will have to modify are:
    • SSLCertificateFile - this is the location of your server crt file
    • SSLCertificateKeyFile - this is the location of your private key
    • SSLCertificateChainFile - this is the location of your chain certificate file
  • Restart the Apache service (e.g. arunapache)
    • restart-service arunapache
  • From another machine, confirm you can browse to the IP address of the server hosting Apache on https port. You should see the 'It works' page along with the page showing the certificate being used.
Note

If Apache fails to start after enabling SSL, check the error log at C:\Apache24\logs\error.log. Common issues include incorrect file paths, password-protected private keys, or mismatched certificate and key pairs.

Conclusion

In this blog post, we'll explored how to run Apache on a Windows system. Although made for Unix/Linux in the past, Apache has grown leaps and bounds in popularity where no longer is it limited to those operating systems. As you can see, the steps to run a webserver is straightforward and to have it secure via SSL, the steps are not at all rocket science.

In conclusion, installing Apache on Windows can bring numerous benefits to web developers and website administrators alike. By leveraging Apache's robust and versatile server capabilities, users can enjoy faster page load times, improved website security, and greater flexibility in configuring their web server environment. Additionally, Apache's compatibility with a wide range of web development technologies makes it an ideal choice for those who require a powerful and customizable web server platform. So, whether you're running a small personal website or managing a large-scale enterprise application, installing Apache on Windows is a smart choice that can help you optimize your web infrastructure and achieve your online goals more effectively.

Troubleshooting

Issue Possible Cause Solution
Apache service fails to start Visual C++ Redistributable not installed Download and install the Visual C++ Redistributable for the version matching your Apache build (VS17 = 2022, VS16 = 2019).
"Cannot load mod_ssl" error OpenSSL DLLs missing or wrong version Ensure libeay32.dll and ssleay32.dll (or libcrypto/libssl for newer versions) are in the Apache bin folder or system PATH.
"Certificate and private key do not match" Wrong certificate or key file exported Re-export the certificate and key from the PFX file. Verify they match using: openssl x509 -noout -modulus -in server.crt | openssl md5 and compare with the key.
Browser shows "Connection not secure" Certificate chain incomplete or self-signed Ensure SSLCertificateChainFile points to the intermediate CA certificates. Verify the full chain with openssl s_client -connect localhost:443.
Port 443 already in use Another service using HTTPS port Check what's using the port with netstat -ano | findstr :443. Stop the conflicting service or configure Apache to use a different port.