Translations:Configuring Apache to use SSL/6/en: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
(Importing a new version from external source)
 
(Importing a new version from external source)
Line 20: Line 20:
<pre>
<pre>
  <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
<nowiki>ServerAlias www.XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
  <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki>
  <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki>
  <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki>
  <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki>

Revision as of 15:05, 7 November 2017

Information about message (contribute)
This message has no documentation. If you know where or how this message is used, you can help other translators by adding documentation to this message.
Message definition (Configuring Apache to use SSL)
The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the string of Xs should be replaced with the floating IP associated with the virtual machine.
</li>
<li><b>Set ownership and permissions</b><br/>
Set the correct ownership and permissions of the private key with {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}}
</li>
<li><b>Configure Apache to use the certificate</b><br/>
Edit Apache's SSL configuration file with
{{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}}
and change the lines
 SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
 SSLCertificateFile      /etc/ssl/certs/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
 SSLCertificateChainFile /etc/ssl/certs/server.crt
</li>
Assuming that the <code>default-ssl.conf,</code> file is the SSL version of the non-encrypted <code>000-default.conf</code> file for the site, make sure both files have the same <code>DocumentRoot</code> variables.
<br/>
<li><b>Tighten security</b><br/>
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding
<pre>
 <nowiki>ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca</nowiki>
 <nowiki>SSLProtocol all -SSLv2 -SSLv3</nowiki>
 <nowiki>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4</nowiki>
 <nowiki>SSLHonorCipherOrder on</nowiki>
</pre>
at the bottom of the entry inside the <code><VirtualHost></code> tag replacing XXX-XXX-XXX-XXX with your VM's public IP (note the '-' are needed in place of '.'). Also, put a redirect directive on our virtual host by editing the default website configuration file with
{{Command| sudo vim /etc/apache2/sites-available/000-default.conf }}and adding the line

The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on Compute Canada's cloud it should looks similar to the example response except that the X's should be replace with the floating-IP associated with the virtual machine.

  • Set Ownership and Permissions
    Set the correct ownership and permissions of the private key with: 
    [name@server ~]$ sudo chown root:ssl-cert /etc/ssl/private/server.key
[name@server ~]$ sudo chmod 640 /etc/ssl/private/server.key
  • Configure Apache to use the Certificate
    Edit Apache's ssl configuration file with
    Question.png 
    [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf

    and change the lines 

    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    to 

    SSLCertificateFile      /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateChainFile /etc/ssl/certs/server.crt

    • Also ensure that the DocumentRoot path matches that set in your /etc/apache2/sites-available/000-default.conf file provided that is the site you wish to apply the SSL to.

  • Tighten Security
    Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with
    Question.png 
    [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
    and adding 
     ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca
 SSLProtocol all -SSLv2 -SSLv3
 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
 SSLHonorCipherOrder on

    at the bottom of the entry inside the <VirtualHost> tag replacing the XXX-XXX-XXX-XXX with your VM's IPs (note the '-' are needed in place of '.'). Also put a redirect directive on our virtual host by editing the default website configuration file with:

    Question.png 
    [name@server ~]$  sudo vim /etc/apache2/sites-available/000-default.conf
    and adding the line
    • Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Translations:Configuring_Apache_to_use_SSL/6/en&oldid=41073"