Skip to content

Instantly share code, notes, and snippets.

@yulioaj290

yulioaj290/README.md

Last active November 6, 2018 20:17
Show Gist options
  • Save yulioaj290/6a55de31bef49a38b6b4455af96e9ba2 to your computer and use it in GitHub Desktop.
Save yulioaj290/6a55de31bef49a38b6b4455af96e9ba2 to your computer and use it in GitHub Desktop.
Download ZIP
Basic configuration to deploy a Web App using Apache2 and Self-Signed SSL on Ubuntu 16.04
Raw
README.md

Basic configuration to deploy a Web App using Apache2 and Self-Signed SSL on Ubuntu 16.04

Pre-requisites

Install Open SSL:

~$ sudo apt-get install openssl

Restart the apache web server:

~$ sudo /etc/init.d/apache2 restart

Or:

~$ sudo systemctl restart apache2

Steps

1- Create public certificate and the private key. Name the files with the name of the website, to identify them between other certificates:

~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/<domain-of-website>.key -out /etc/ssl/certs/<domain-of-website>.crt

2- Fill data fields asked by the previous comand. The most important field is "Common Name (e.g. server FQDN or YOUR name)", this identify our website:

	Output
	Country Name (2 letter code) [AU]:US
	State or Province Name (full name) [Some-State]:Tennessee
	Locality Name (eg, city) []:Nashville
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:<business name>
	Organizational Unit Name (eg, section) []:Plaza Mariachi
*	Common Name (e.g. server FQDN or YOUR name) []:<server_IP_address or domain of website>
	Email Address []:info@plazamariachi.com

3- Generate group Diffie-Hellman, for the negociation of the Perfect Forward Secrecy with the web clients. This file is created only one time, it can be used for all certificates we need to create in the future:

~$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

4- Create (or modify) the configuration file of Apache2, with some parameters to enable the SSL (copy the content). This file is created only one time, it can be used for all certificates we need to create in the future:

~$ sudo nano /etc/apache2/conf-available/ssl-params.conf

Content of /etc/apache2/conf-available/ssl-params.conf

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"

# Original setting
#Header always set X-Frame-Options DENY

# This following because the Cornerstone of the X Theme do not work
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4
SSLCompression off 
SSLSessionTickets Off
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

5- Create a copy of default configuration for a website with SSL, for our new website:

~$ sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/ssl.<domain-of-website>.conf

6- Update content of file "/etc/apache2/sites-available/ssl..conf" previously copied: The new content must be like this:

<IfModule mod_ssl.c>
		<VirtualHost _default_:443>
				ServerAdmin your_email@<domain-of-website>
				ServerName <domain-of-website>

				DocumentRoot /var/www/html

				ErrorLog ${APACHE_LOG_DIR}/error.log
				CustomLog ${APACHE_LOG_DIR}/access.log combined

				SSLEngine on

				SSLCertificateFile      /etc/ssl/certs/<domain-of-website>.crt
				SSLCertificateKeyFile /etc/ssl/private/<domain-of-website>.key

				<FilesMatch "\.(cgi|shtml|phtml|php)$">
								SSLOptions +StdEnvVars
				</FilesMatch>
				<Directory /usr/lib/cgi-bin>
								SSLOptions +StdEnvVars
				</Directory>

				BrowserMatch "MSIE [2-6]" \
							   nokeepalive ssl-unclean-shutdown \
							   downgrade-1.0 force-response-1.0

		</VirtualHost>
</IfModule>

7- Update configutarion of the virtual host of our website to guarranty the HTTPS redirection:

~$ sudo nano /etc/apache2/sites-available/<domain-of-website>.conf

The content must have this lines:

<VirtualHost *:80>
		. . .

		Redirect "/" "https://<domain-of-website>/"

		. . .
</VirtualHost>

8- Enable the Apache2 modules to see the changes:

~$ sudo a2enmod ssl
~$ sudo a2enmod headers
~$ sudo a2ensite <domain-of-website>.conf
~$ sudo a2ensite ssl.<domain-of-website>.conf
~$ sudo a2enconf ssl-params.conf

9- Test the configuration:

~$ sudo apache2ctl configtest

The output must be something like this (Syntax OK):

Output

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

10- Restart the apache web server:

~$ sudo /etc/init.d/apache2 restart

Or:

~$ sudo systemctl restart apache2

11- Test the configuration of the SSL on the browser.

12- Update configuration of the virtual host of our website to guarranty the permanent HTTPS redirection:

~$ sudo nano /etc/apache2/sites-available/<domain-of-website>.conf

The content must have this lines:

<VirtualHost *:80>
		. . .

		Redirect permanent "/" "https://<domain-of-website>/"

		. . .
</VirtualHost>

13- Repeat steps from 9 to 11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment