Skip to content

Instantly share code, notes, and snippets.

@binarweb

binarweb/apache-self-signed-ssl-certificate.md

Last active January 24, 2020 22:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save binarweb/5cb02ecd7fa7f48b030cd9aeee1efb60 to your computer and use it in GitHub Desktop.
Save binarweb/5cb02ecd7fa7f48b030cd9aeee1efb60 to your computer and use it in GitHub Desktop.
Download ZIP
Setup a self-signed SSL certificate for Apache (server side only)
Raw
apache-self-signed-ssl-certificate.md

Create the certificate:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

Create a strong Diffie-Hellman group:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create an Apache Configuration Snippet with Strong Encryption Settings

$ nano /etc/apache2/conf-available/ssl-params.conf

Add:

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLSessionTickets Off
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Modify the Default Apache SSL Virtual Host File

cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
mv /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/000-default-ssl.conf
nano /etc/apache2/sites-available/000-default-ssl.conf

Add:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
            ServerAdmin your_email@example.com
            ServerName www.example.com

            DocumentRoot /var/www/html

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            SSLEngine on

            SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
            SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

            BrowserMatch "MSIE [2-6]" \
                           nokeepalive ssl-unclean-shutdown \
                           downgrade-1.0 force-response-1.0

    </VirtualHost>
</IfModule>

Enable the changes in Apache

a2enmod ssl
a2enmod headers
a2dissite default-ssl
a2ensite 000-default-ssl
a2enconf ssl-params

To test for syntax error

apache2ctl configtest

Restart Apache

service apache2 restart

Check Apache status

service apache2 status

Sources :

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment