Introduction of Ubuntu Server ConstructionDescribe the SSL certificate settings in the Apache configuration file
Here is an example of an Apache configuration file for SSL settings.
If you want to enable HTTPS on Apache, you need to get an SSL certificate using Let's Encrypt etc. and set SSL in the Apache configuration file.
There are two types of SSL settings, the basic SSL settings that are common to all sites and the SSL certificate path settings that are different for each site.
SSL basic settings
This is an example of SSL basic settings. Required is "SSL Engine on". The remaining settings are for reducing SSL security vulnerabilities and increasing security.
This is the same as the SSL setting set by Let's Encrypt.
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384 -AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA : ECDHE-RSA-AES256-SHA384: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA: ECDHE-RSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE -RSA-AES128-SHA: DHE-RSA-AES256-SHA256: DHE-RSA-AES256-SHA: ECDHE-ECDSA-DES-CBC3-SHA: ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3 -SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: AES256-SHA256: AES128-SHA: AES256-SHA: DES-CBC3-SHA :! DSS SSLHonorCipherOrder on
Since it can be shared by all sites, the file name "conf-available / ssl-basic.conf" is vi. Create it in an editor and include it from the virtual host settings for each site.
cd / etc / apache2 sudo vi conf-available/ssl-basic.conf
Included in Apache configuration file.
Include conf-available/ssl-basic.conf
Setting the SSL certificate path for each site
It is the setting of the SSL certificate path for each site, but it is necessary to describe the path of the three files. Keep in mind that SSL is a public key authentication, so you need a private key on the server side and an intermediate certificate as well. Ask your security expert for more details, including implementation details.
- SSL certificate
- SSL certificate private key
- Intermediate certificate of SSL certificate
Let's describe this in the virtual host settings of each site. The following is the SSL certificate file generated by Let's Encrypt.
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.example/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.example/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.example/chain.pem
Procedure for creating a configuration file
Here, I will write about the procedure to create an SSL configuration file. Actually, when using the SSL certificate generated by Let's Encrypt, it is not possible to set the Apache configuration file at once.
This is because Let's Encrypt verifies the owner of the SSL certificate by actually being able to access the HTTP server.
In other words, first of all, you need to make the confirmation HTTP request coming from Let's Encrypt accessible on port 80.
However, it is troublesome to set HTTP on port 80 and then set HTTPS on 443.
Therefore, let's redirect the received HTTP request to HTTPS (443) from the beginning on port 80. It is assumed that the web application is running on the reverse proxy.
Enable the SSL settings and load the self-SSL certificate that was prepared from the beginning. Please note that the connection with HTTPS will fail only with "SSL Engine on".
<VirtualHost *: 80>
ServerName www.mydomain.example
RewriteEngine on
RewriteRule (. *)? $Https: //%{HTTP_HOST}%{REQUEST_URI} [L, R = 301]
</VirtualHost>
<VirtualHost *: 443>
ServerName www.mydomain.example
<Proxy *>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http: // localhost: 20013 / keepalive = On
ProxyPassReverse / http: // localhost: 20013 /
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
Then, if you can get the SSL certificate, modify it to the following settings.
Let's Encrypt's certbot may automatically set the Apache SSL certificate, but since the configuration file is read from outside the Apache configuration file directory, managing the configuration file with Git.
<VirtualHost *: 80>
ServerName www.mydomain.example
RewriteEngine on
RewriteRule (. *)? $Https: //%{HTTP_HOST}%{REQUEST_URI} [L, R = 301]
</VirtualHost>
<VirtualHost *: 443>
ServerName www.mydomain.example
<Proxy *>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http: // localhost: 20013 / keepalive = On
ProxyPassReverse / http: // localhost: 20013 /
RequestHeader set X-Forwarded-Proto "https"
Include conf-available/ssl-basic.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.example/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.example/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.example/chain.pem
</VirtualHost>
Required Apache modules
In order to write the above SSL-enabled Apache configuration file, the following modules must be enabled.