Last active
April 25, 2018 07:06
-
-
Save avigail-oron/0029c56c406d12fdfdb61b55178764e2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Install Apache httpd server | |
//--------------------------- | |
apt-get install apache2 | |
//verify it's configured OK | |
apache2ctl configtest | |
//Check httpd version and installed modules | |
apache2ctl -v | |
apache2ctl -M | |
//Installing PHP | |
//--------------- | |
//couldn't install php from exiting repos, added this one to install it: | |
add-apt-repository ppa:ondrej/php | |
apt-get update | |
apt-get install php5.6 | |
//check php version | |
php -v | |
//Install the php apache module | |
//------------------------------ | |
apt-get install libapache2-mod-php | |
//remove the added repo | |
add-apt-repository --remove ppa:ondrej/php | |
//restart apache to load the php module | |
apache2ctl stop | |
apache2ctl start | |
systemctl status apache2 | |
//list apache module, verify php is listed | |
apache2ctl -M | |
//Setting up SSL | |
//--------------- | |
//Adding support for SSL | |
//first, check if the module exist but not enabled: | |
dpkg -S mod_ssl.so | |
//if the output shows the so in the apache folder, you just need to enable it. otherwise you neeed to install it first: | |
apt-get install mod_ssl | |
//Enabling the module: | |
a2enmod ssl | |
//restart apache2 service | |
service apache2 restart | |
//apache port conf checkes if mod_ssl is enabled and if so listens on 443 as well. verify: | |
netstat -plnt | |
//generate a self-signed certificate and a private key: | |
//for all questions you can answer with a '.' (=leave blank) apart from FQDN - put the server's public IP | |
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt | |
//make sure both files have been created | |
//Create a new Apache conf file: | |
nano /etc/apache2/conf-available/ssl-params.conf | |
//paste the following , save and close: | |
# from https://cipherli.st/ | |
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html | |
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
SSLProtocol All -SSLv2 -SSLv3 | |
SSLHonorCipherOrder On | |
# Disable preloading HSTS for now. You can use the commented out header line that includes | |
# the "preload" directive if you understand the implications. | |
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" | |
Header always set X-Frame-Options DENY | |
Header always set X-Content-Type-Options nosniff | |
# Requires Apache >= 2.4 | |
SSLCompression off | |
SSLSessionTickets Off | |
SSLUseStapling on | |
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" | |
//backup the file before we modify it: | |
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak | |
nano /etc/apache2/sites-available/default-ssl.conf | |
//just below ServerAdmin, add the line: | |
ServerName <server_domain_or_IP> | |
//Modify the lines pointing to the cert and key files: | |
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt | |
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key | |
//uncomment the following lines: | |
BrowserMatch "MSIE [2-6]" \ | |
nokeepalive ssl-unclean-shutdown \ | |
downgrade-1.0 force-response-1.0 | |
//save & close | |
//enable the changes in apache: | |
a2enmod headers | |
a2ensite default-ssl | |
a2enconf ssl-params | |
//verify conf syntax is correct: | |
apache2ctl configtest | |
//restart to take effect: | |
systemctl restart apache2 | |
//Test it works: | |
//open browser with https://<public IP> | |
//you will get an error that the CA is not trusted, proceed anyway | |
//check the site details (icon in address bar), see that it uses the certificate issued by the same server | |
// Optional part - for the DNS mng specific app: | |
//---------------------------------------------- | |
sudo apt install bind9utils | |
mkdir -p /var/local/dns/zones/ | |
chmod a+w /var/local/dns | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment