Translations:Configuring Apache to use SSL/6/en: Difference between revisions
Jump to navigation
Jump to search
Set ownership and permissions
Set the correct ownership and permissions of the private key with
Configure Apache to use the certificate
Edit Apache's SSL configuration file with 
Tighten security
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with and adding
and adding the line
(Importing a new version from external source) |
(Importing a new version from external source) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on | The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the string of Xs should be replaced with the floating IP associated with the virtual machine. | ||
</li> | </li> | ||
<li> | <li><b>Set ownership and permissions</b><br/> | ||
Set the correct ownership and permissions of the private key with | Set the correct ownership and permissions of the private key with {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}} | ||
</li> | </li> | ||
<li> | <li><b>Configure Apache to use the certificate</b><br/> | ||
Edit Apache's | Edit Apache's SSL configuration file with | ||
{{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}} | {{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}} | ||
and change the lines | and change the lines | ||
| Line 15: | Line 15: | ||
SSLCertificateChainFile /etc/ssl/certs/server.crt | SSLCertificateChainFile /etc/ssl/certs/server.crt | ||
</li> | </li> | ||
Assuming that the <code>default-ssl.conf,</code> file is the SSL version of the non-encrypted <code>000-default.conf</code> file for the site, make sure both files have the same <code>DocumentRoot</code> variables. | |||
<li> | <br/> | ||
<li><b>Tighten security</b><br/> | |||
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding | Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding | ||
<pre> | <pre> | ||
<nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki> | <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki> | ||
<nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki> | <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki> | ||
<nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki> | <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki> | ||
<nowiki>SSLHonorCipherOrder on</nowiki> | <nowiki>SSLHonorCipherOrder on</nowiki> | ||
</pre> | </pre> | ||
at the bottom of the entry inside the <code><VirtualHost></code> tag replacing | at the bottom of the entry inside the <code><VirtualHost></code> tag replacing XXX-XXX-XXX-XXX with your VM's public IP (note the '-' are needed in place of '.'). Also, put a redirect directive on our virtual host by editing the default website configuration file with | ||
{{Command| sudo vim /etc/apache2/sites-available/000-default.conf }}and adding the line | {{Command| sudo vim /etc/apache2/sites-available/000-default.conf }}and adding the line | ||
Latest revision as of 21:33, 1 June 2023
The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the string of Xs should be replaced with the floating IP associated with the virtual machine.
Set the correct ownership and permissions of the private key with
[name@server ~]$ sudo chown root:ssl-cert /etc/ssl/private/server.key
[name@server ~]$ sudo chmod 640 /etc/ssl/private/server.key
Edit Apache's SSL configuration file with
[name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
and change the lines
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key SSLCertificateChainFile /etc/ssl/certs/server.crt
Assuming that the default-ssl.conf, file is the SSL version of the non-encrypted 000-default.conf file for the site, make sure both files have the same DocumentRoot variables.
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with
[name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4 SSLHonorCipherOrder on
at the bottom of the entry inside the <VirtualHost> tag replacing XXX-XXX-XXX-XXX with your VM's public IP (note the '-' are needed in place of '.'). Also, put a redirect directive on our virtual host by editing the default website configuration file with
[name@server ~]$ sudo vim /etc/apache2/sites-available/000-default.conf