Configuring Apache to use SSL: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
(Marked this version for translation)
 
(59 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. This page describes the procedure for creating a self-signed SSL certificate as apposed to one signed by a [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority] (CA) and configuring Apache to use it to encrypt communications. Having a certificate signed by a CA allows visitors of the site to verify by a third party (the CA) that the website is the expected website, avoiding [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle-attacks]. Self signed certificates should not be used for production sites, though they are useful for small locally used sites and for testing as they are free, as apposed to getting a certificate signed by a CA which usually coats something like $100 a year.
<languages/>
<translate>
<!--T:1-->
<i>Parent page: [[Creating a web server on a cloud]]</i>
[[Category:Cloud]]


The below steps assume you are using the Ubuntu operating system. If using another linux operating system the steps will be similar but the details will likely be different such as slightly different commands or different locations and names of configuration files.
<!--T:2-->
Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. It is important to use encryption when sending any sensitive  information, such as passwords, over the internet. However, even if not sending sensitive information, encrypting the data sent from the web server to the client will prevent third parties from intercepting the data and modifying it before it continues on to the client. In almost all situations, it is a good idea to use SSL certificates to encrypt data transmitted to and from a web server over the internet.


<!--T:11-->
There are two main types of certificates: a certificate signed by a third party signing authority and a self-signed certificate. In most cases you will want a certificate signed by a third party since it is very easy to do using Let's Encrypt, as described below. However, there may be some cases, such as testing, where you may still want to create a self-signed certificate instead. With this method, data sent to and from your web server will be encrypted, however, there is no third party involved vouching for the validity of your web server. For this reason, visitors to your site will still get a warning about the security of your site. If you have a public-facing site, you probably do not want to use a self-signed certificate.
<!--T:12-->
Once you have your certificate and the web server is configured, it is a good idea to check the security settings using ssllabs' [https://www.ssllabs.com/ssltest/ ssltest tool] which can suggest changes to your configuration to improve security.
==Signed certificate== <!--T:9-->
Having a certificate signed by a [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority] (CA) allows visitors to ensure they are accessing the right website, which avoids [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle-attacks]. Many CAs require a yearly fee, but one which does not is [https://letsencrypt.org/ Let's Encrypt] CA. Certbot is a tool that automatically creates or renews an SSL certificate signed by the Let's Encrypt CA and it automatically configures your web server to use the SSL certificate. The main [https://certbot.eff.org/ Certbot] page tells you everything you need to know to get started quickly. For additional details on Cerbot, see the [https://certbot.eff.org/docs/ Certbot docs].
<!--T:13-->
Please note that if you are configuring Certbot via Apache, then you must open port 443 (TCP ingress) in order for Certbot to connect to the site. This is not mentioned in the Certbot documentation.
==Self-signed certificate== <!--T:10-->
This section describes the procedure for creating a self-signed SSL certificate as opposed to one signed by a [https://en.wikipedia.org/wiki/Certificate_authority CA], and for configuring Apache to use it to encrypt communications. Self-signed certificates should not be used for production sites, though they may be useful for small locally used sites and for testing.
<!--T:3-->
The following steps assume you are using the Ubuntu operating system. If using another Linux operating system, the steps will be similar, but the details will likely be different such as commands and locations and names of configuration files.
<!--T:4-->
<ol>
<ol>
<li>'''Activate SSL Module'''<br/>
<li><b>Activate the SSL module</b><br/>
Once Apache has been installed (see [[Creating_a_Webserver_on_CC-Cloud#Install_Apache2 | Installing Apache]]) the SSL module must be enabled with{{Commands|sudo a2enmod ssl|sudo service apache2 restart}}
Once Apache has been installed (see [[Creating_a_web_server_on_a_cloud#Install_Apache2 | Installing Apache]]), the SSL module must be enabled with{{Commands|sudo a2enmod ssl|sudo service apache2 restart}}
</li>
</li>
<li>'''Create a Self-Signed SSL Certificate'''{{Command| sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt}}
<li><b>Create a self-signed SSL certificate</b>{{Command| sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt}}
This command will ask you a series of questions. Below is a list of the questions with example responses:
If you are asked for a pass phrase, it likely means that you missed the <code>-node</code> option. Please reissue the command checking it carefully against the above. This command will ask you a series of questions. Below is a list of the questions with example responses.


   Country Name (2 letter code) [AU]:CA
   <!--T:5-->
Country Name (2 letter code) [AU]:CA
   State or Province Name (full name) [Some-State]:Nova Scotia
   State or Province Name (full name) [Some-State]:Nova Scotia
   Locality Name (eg, city) []:Halifax
   Locality Name (eg, city) []:Halifax
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Compute Canada
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alliance
   Organizational Unit Name (eg, section) []:ACENET
   Organizational Unit Name (eg, section) []:ACENET
   Common Name (e.g. server FQDN or YOUR name) []:XXX-XXX-XXX-XXX.cloud.computecanada.ca
   Common Name (e.g. server FQDN or YOUR name) []:XXX-XXX-XXX-XXX.cloud.computecanada.ca
   Email Address []:<your email>
   Email Address []:<your email>


The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on Compute Canada's cloud it should looks similar to the example response except that the X's should be replace with the floating-IP associated with the virtual machine.
<!--T:6-->
The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the string of Xs should be replaced with the floating IP associated with the virtual machine.
</li>
</li>
<li>'''Set Ownership and Permissions'''<br/>
<li><b>Set ownership and permissions</b><br/>
Set the correct ownership and permissions of the private key with: {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}}
Set the correct ownership and permissions of the private key with {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}}
</li>
</li>
<li>'''Configure Apache to use the Certificate'''<br/>
<li><b>Configure Apache to use the certificate</b><br/>
Edit Apache's ssl configuration file with
Edit Apache's SSL configuration file with
{{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}}
{{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}}
and change the lines
and change the lines
Line 34: Line 60:
  SSLCertificateChainFile /etc/ssl/certs/server.crt
  SSLCertificateChainFile /etc/ssl/certs/server.crt
</li>
</li>
<li>'''Tighten Security'''<br/>
Assuming that the <code>default-ssl.conf,</code> file is the SSL version of the non-encrypted <code>000-default.conf</code> file for the site, make sure both files have the same <code>DocumentRoot</code> variables.
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by adding
<br/>
<li><b>Tighten security</b><br/>
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding
<pre>
<pre>
<nowiki>Redirect permanent / https://XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
<nowiki>ServerAlias www.XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki>
  <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki>
  <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki>
  <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki>
  <nowiki>SSLHonorCipherOrder on</nowiki>
  <nowiki>SSLHonorCipherOrder on</nowiki>
</pre>
</pre>
to default-ssl.conf. Also put a redirect directive on our virtual host by editing the default website configuration file with:
at the bottom of the entry inside the <code><VirtualHost></code> tag replacing XXX-XXX-XXX-XXX with your VM's public IP (note the '-' are needed in place of '.'). Also, put a redirect directive on our virtual host by editing the default website configuration file with
{{Command| sudo vim /etc/apache2/sites-available/000-default.conf }}and adding the line
{{Command| sudo vim /etc/apache2/sites-available/000-default.conf }}and adding the line


  <nowiki>Redirect permanent / https://XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <!--T:7-->
<nowiki>Redirect permanent / https://XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>


<!--T:8-->
inside the <nowiki><VirtualHost></nowiki> tag.
inside the <nowiki><VirtualHost></nowiki> tag.
</li>
</li>
<li>'''Enable the SSL-enabled website'''<br/>
<li><b>Enable the SSL-enabled website</b><br/>
{{Commands|sudo a2ensite default-ssl.conf|sudo service apache2 restart}}
{{Commands|sudo a2ensite default-ssl.conf|sudo service apache2 restart}}
</li>
</li>
</ol>
</ol>
</translate>

Latest revision as of 14:31, 4 July 2024

Other languages:

Parent page: Creating a web server on a cloud

Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. It is important to use encryption when sending any sensitive information, such as passwords, over the internet. However, even if not sending sensitive information, encrypting the data sent from the web server to the client will prevent third parties from intercepting the data and modifying it before it continues on to the client. In almost all situations, it is a good idea to use SSL certificates to encrypt data transmitted to and from a web server over the internet.

There are two main types of certificates: a certificate signed by a third party signing authority and a self-signed certificate. In most cases you will want a certificate signed by a third party since it is very easy to do using Let's Encrypt, as described below. However, there may be some cases, such as testing, where you may still want to create a self-signed certificate instead. With this method, data sent to and from your web server will be encrypted, however, there is no third party involved vouching for the validity of your web server. For this reason, visitors to your site will still get a warning about the security of your site. If you have a public-facing site, you probably do not want to use a self-signed certificate.

Once you have your certificate and the web server is configured, it is a good idea to check the security settings using ssllabs' ssltest tool which can suggest changes to your configuration to improve security.

Signed certificate

Having a certificate signed by a Certificate Authority (CA) allows visitors to ensure they are accessing the right website, which avoids man-in-the-middle-attacks. Many CAs require a yearly fee, but one which does not is Let's Encrypt CA. Certbot is a tool that automatically creates or renews an SSL certificate signed by the Let's Encrypt CA and it automatically configures your web server to use the SSL certificate. The main Certbot page tells you everything you need to know to get started quickly. For additional details on Cerbot, see the Certbot docs.

Please note that if you are configuring Certbot via Apache, then you must open port 443 (TCP ingress) in order for Certbot to connect to the site. This is not mentioned in the Certbot documentation.

Self-signed certificate

This section describes the procedure for creating a self-signed SSL certificate as opposed to one signed by a CA, and for configuring Apache to use it to encrypt communications. Self-signed certificates should not be used for production sites, though they may be useful for small locally used sites and for testing.

The following steps assume you are using the Ubuntu operating system. If using another Linux operating system, the steps will be similar, but the details will likely be different such as commands and locations and names of configuration files.

  1. Activate the SSL module
    Once Apache has been installed (see Installing Apache), the SSL module must be enabled with
    [name@server ~]$ sudo a2enmod ssl
    [name@server ~]$ sudo service apache2 restart
    
  2. Create a self-signed SSL certificate
    Question.png
    [name@server ~]$  sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt
    

    If you are asked for a pass phrase, it likely means that you missed the -node option. Please reissue the command checking it carefully against the above. This command will ask you a series of questions. Below is a list of the questions with example responses.

     Country Name (2 letter code) [AU]:CA
     State or Province Name (full name) [Some-State]:Nova Scotia
     Locality Name (eg, city) []:Halifax
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alliance
     Organizational Unit Name (eg, section) []:ACENET
     Common Name (e.g. server FQDN or YOUR name) []:XXX-XXX-XXX-XXX.cloud.computecanada.ca
     Email Address []:<your email>
    

    The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the string of Xs should be replaced with the floating IP associated with the virtual machine.

  3. Set ownership and permissions
    Set the correct ownership and permissions of the private key with
    [name@server ~]$ sudo chown root:ssl-cert /etc/ssl/private/server.key
    [name@server ~]$ sudo chmod 640 /etc/ssl/private/server.key
    
  4. Configure Apache to use the certificate
    Edit Apache's SSL configuration file with
    Question.png
    [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
    

    and change the lines

    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    

    to

    SSLCertificateFile      /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    SSLCertificateChainFile /etc/ssl/certs/server.crt
    
  5. Assuming that the default-ssl.conf, file is the SSL version of the non-encrypted 000-default.conf file for the site, make sure both files have the same DocumentRoot variables.
  6. Tighten security
    Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with
    Question.png
    [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
    
    and adding
     ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
     SSLHonorCipherOrder on
    

    at the bottom of the entry inside the <VirtualHost> tag replacing XXX-XXX-XXX-XXX with your VM's public IP (note the '-' are needed in place of '.'). Also, put a redirect directive on our virtual host by editing the default website configuration file with

    Question.png
    [name@server ~]$  sudo vim /etc/apache2/sites-available/000-default.conf
    
    and adding the line
    Redirect permanent / https://XXX-XXX-XXX-XXX.cloud.computecanada.ca
    

    inside the <VirtualHost> tag.

  7. Enable the SSL-enabled website
    [name@server ~]$ sudo a2ensite default-ssl.conf
    [name@server ~]$ sudo service apache2 restart