Wednesday, November 11, 2020

Apache with Letsencrypt


Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It launched on April 12, 2016.

Let's Encrypt certificates are valid for 90 days, during which renewal can take place at any time. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites. The project claims its goal is to make encrypted connections to World Wide Web servers ubiquitous.[6] By eliminating payment, web server configuration, validation email management and certificate renewal tasks, it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.[1]

[1] Wikipedia

PREREQUISITE

  • Linux server with apache installed (Port 80 and 443 should open for public)
  • There should be a DNS entry for your site.
  • Enable "add-apt-repository universe" repo.
  • "certbot" packages should be install in your server.

In this example I am using Ubuntu 20.04 LTS server. Command can be different  you are using OS like Redhat or CentOS.



Step 01: Install Apache


apt install apache2



After install enable the service and start the apache2 service

systemctl enable apache2
systemctl start apache2



Now try to access your site using host name. 



Step 02: Create a Custom Page


Now create a virtual host configuration file with your custom website in below location.



<VirtualHost *:80>

        ServerName <Your-Site>
        ServerAlias <Your-Site>

        DocumentRoot /var/www/html/my-site

        ErrorLog ${APACHE_LOG_DIR}/vidu-test-error.log
        CustomLog ${APACHE_LOG_DIR}/vidu-test-access.log combined

</VirtualHost>

Create "DocumentRoot" folder and create simple index.html file.



Include that config file to site-enable folder.



Now restart the apache service and check.




Step 03: Obtain Letsencrypt Certificate


Enable "add-apt-repository universe" repo.



Now install "certbot"



Execute below command to obtain certificates.

certbot certonly --webroot --webroot-path /var/www/html/my-site -d <Your-Site> -m <Your-Email>



Step 04: Make your Site Secure

Now enable SSL module for apache. Execute below command to do this. You have to restart the apache service to apply the changes. 


Now open virtual host configuration file you created before and and add another virtual host configuration block as follow.

You have to include certificated files you obtained from letsencrypt.

<VirtualHost *:443>

        ServerName <Your-Site>
        ServerAlias <Your-Site>

        DocumentRoot /var/www/html/my-site

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/vidu-test.ddns.net/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/vidu-test.ddns.net/privkey.pem

        ErrorLog ${APACHE_LOG_DIR}/ssl-vidu-test-error.log
        CustomLog ${APACHE_LOG_DIR}/ssl-vidu-test-access.log combined

</VirtualHost>

Restart the apache service to apply the changers.

systemctl restart apache2

Now its time to brows your site with https. 



Check your web site with SSL-LAB




You can add below configurations for your conf file to achieve "A" Grade.

To achieve, you have to disable insecure SSL cipher suit and insecure SSL protocols 

SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off


Now you are one more step behind to achieve "A+" grade.

To do that you have to enable "mod_header" module in apache. You can include that module by executing this command.

Goto "/etc/apache2/mods-enabled" folder and create a symlink to "headers.load".

ln -s ../mods-available/headers.load headers.load


Now include below headers to conf file. 

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

After adding all the configurations.

<VirtualHost *:80>

        ServerName vidu-test.ddns.net
        ServerAlias vidu-test.ddns.net

        DocumentRoot /var/www/html/my-site

        ErrorLog ${APACHE_LOG_DIR}/vidu-test-error.log
        CustomLog ${APACHE_LOG_DIR}/vidu-test-access.log combined

</VirtualHost>

<VirtualHost *:443>

        ServerName vidu-test.ddns.net
        ServerAlias vidu-test.ddns.net

        DocumentRoot /var/www/html/my-site

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/vidu-test.ddns.net/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/vidu-test.ddns.net/privkey.pem

        SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"

        SSLProtocol -all +TLSv1.3 +TLSv1.2
        SSLHonorCipherOrder On
        SSLCompression off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ErrorLog ${APACHE_LOG_DIR}/ssl-vidu-test-error.log
        CustomLog ${APACHE_LOG_DIR}/ssl-vidu-test-access.log combined

</VirtualHost>

Now restart the apahe service and check your site from SSL Lab.




on
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)