rsnt_translations
56,420
edits
No edit summary |
No edit summary |
||
Line 6: | Line 6: | ||
<!--T:2--> | <!--T:2--> | ||
Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. It is important to use encryption when sending any sensitive information, such as passwords, over the internet. However, even if not sending sensitive information encrypting the data sent from the web server to the client will prevent third parties from intercepting the data and modifying it before it continues on to the client. In almost all situations it is a good idea to use SSL certificates to encrypt data transmitted to and from a web server over the Internet. | Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. It is important to use encryption when sending any sensitive information, such as passwords, over the internet. However, even if not sending sensitive information encrypting the data sent from the web server to the client will prevent third parties from intercepting the data and modifying it before it continues on to the client. In almost all situations, it is a good idea to use SSL certificates to encrypt data transmitted to and from a web server over the Internet. | ||
<!--T:11--> | <!--T:11--> | ||
There are two main ways to create a certificate, a certificate signed by a third party signing authority and a self-signed certificate. In most cases you will want a certificate signed by a third party, especially now since it is very easy to do using let's encrypt, as described below. However, there | There are two main ways to create a certificate, a certificate signed by a third party signing authority and a self-signed certificate. In most cases you will want a certificate signed by a third party, especially now since it is very easy to do using let's encrypt, as described below. However, there may be some cases, such as testing, where you may still want to create a self-signed certificate instead. With this method, data sent to and from your web server will be encrypted, however, there is no third party involved vouching for the validity of your web server. For this reason, visitors to your site will still get a warning about the security of your site. If you have a public-facing site you probably do not want to use a self-signed certificate. | ||
<!--T:12--> | <!--T:12--> | ||
Once you have your certificate and web server configured, it is a good idea to check the security settings using ssllabs' [https://www.ssllabs.com/ssltest/ ssltest tool] which can suggest changes to your configuration to improvement security. | Once you have your certificate and web server configured, it is a good idea to check the security settings using ssllabs' [https://www.ssllabs.com/ssltest/ ssltest tool] which can suggest changes to your configuration to improvement security. | ||
==Signed | ==Signed certificate== <!--T:9--> | ||
Having a certificate signed by a [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority] (CA) allows visitors of the site to verify by a third party (the CA) that the website is the expected website, avoiding [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle-attacks]. Many CAs require a yearly fee; one CA which does not is the [https://letsencrypt.org/ let's encrypt] CA. Certbot is a tool for automatically creating and renewing an SSL certificate signed by the let's encrypt CA and automatically configures your web server to use the SSL certificate. The main [https://certbot.eff.org/ Certbot] page tells you everything you need to know to get started quickly. For additional details about using cerbot see the [https://certbot.eff.org/docs/ certbot docs]. | Having a certificate signed by a [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority] (CA) allows visitors of the site to verify by a third party (the CA) that the website is the expected website, avoiding [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle-attacks]. Many CAs require a yearly fee; one CA which does not is the [https://letsencrypt.org/ let's encrypt] CA. Certbot is a tool for automatically creating and renewing an SSL certificate signed by the let's encrypt CA and automatically configures your web server to use the SSL certificate. The main [https://certbot.eff.org/ Certbot] page tells you everything you need to know to get started quickly. For additional details about using cerbot see the [https://certbot.eff.org/docs/ certbot docs]. | ||
==Self- | ==Self-signed certificate== <!--T:10--> | ||
This section describes the procedure for creating a self-signed SSL certificate as opposed to one signed by a [https://en.wikipedia.org/wiki/Certificate_authority CA] and configuring Apache to use it to encrypt communications. Self-signed certificates should not be used for production sites, though they may be useful for small locally used sites and for testing. | This section describes the procedure for creating a self-signed SSL certificate as opposed to one signed by a [https://en.wikipedia.org/wiki/Certificate_authority CA] and configuring Apache to use it to encrypt communications. Self-signed certificates should not be used for production sites, though they may be useful for small locally used sites and for testing. | ||
<!--T:3--> | <!--T:3--> | ||
The following steps assume you are using the Ubuntu operating system. If using another Linux operating system the steps will be similar but the details will likely be different such as slightly different commands or different locations and names of configuration files. | The following steps assume you are using the Ubuntu operating system. If using another Linux operating system, the steps will be similar but the details will likely be different such as slightly different commands or different locations and names of configuration files. | ||
<!--T:4--> | <!--T:4--> | ||
<ol> | <ol> | ||
<li>'''Activate SSL | <li>'''Activate the SSL module'''<br/> | ||
Once Apache has been installed (see [[Creating_a_Webserver_on_the_Cloud#Install_Apache2 | Installing Apache]]) the SSL module must be enabled with{{Commands|sudo a2enmod ssl|sudo service apache2 restart}} | Once Apache has been installed (see [[Creating_a_Webserver_on_the_Cloud#Install_Apache2 | Installing Apache]]) the SSL module must be enabled with{{Commands|sudo a2enmod ssl|sudo service apache2 restart}} | ||
</li> | </li> | ||
<li>'''Create a | <li>'''Create a self-signed SSL certificate'''{{Command| sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt}} | ||
If you are asked for a pass phrase this likely means you missed the <code>-node</code> option: please reissue the command checking it carefully against the above. This command will ask you a series of questions. Below is a list of the questions with example responses: | If you are asked for a pass phrase this likely means you missed the <code>-node</code> option: please reissue the command checking it carefully against the above. This command will ask you a series of questions. Below is a list of the questions with example responses: | ||
Line 41: | Line 41: | ||
<!--T:6--> | <!--T:6--> | ||
The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the X's should be | The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on our clouds, it should look similar to the example response except that the X's should be replaced with the floating-IP associated with the virtual machine. | ||
</li> | </li> | ||
<li>'''Set | <li>'''Set ownership and permissions'''<br/> | ||
Set the correct ownership and permissions of the private key with: {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}} | Set the correct ownership and permissions of the private key with: {{Commands|sudo chown root:ssl-cert /etc/ssl/private/server.key|sudo chmod 640 /etc/ssl/private/server.key}} | ||
</li> | </li> | ||
<li>'''Configure Apache to use the | <li>'''Configure Apache to use the certificate'''<br/> | ||
Edit Apache's ssl configuration file with | Edit Apache's ssl configuration file with | ||
{{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}} | {{Command|sudo vim /etc/apache2/sites-available/default-ssl.conf}} | ||
Line 58: | Line 58: | ||
</li> | </li> | ||
Also ensure that the <code>DocumentRoot</code> path matches that set in your <code>/etc/apache2/sites-available/000-default.conf</code> file provided that is the site you wish to apply the SSL to. | Also ensure that the <code>DocumentRoot</code> path matches that set in your <code>/etc/apache2/sites-available/000-default.conf</code> file provided that is the site you wish to apply the SSL to. | ||
<li>'''Tighten | <li>'''Tighten security'''<br/> | ||
Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding | Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with {{Command |sudo vim /etc/apache2/sites-available/default-ssl.conf}} and adding | ||
<pre> | <pre> |