Ubuntu : apache & SSL

Mise en place de SSL sur un serveur Apache2 sous Ubuntu

Installer apache2.

root@ubuntu~#: apt install -y apache2

Générer la clé auto-signée et le certificat avec openssl.

root@ubuntu~#: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/stan-selfsigned.key -out /etc/ssl/certs/stan-selfsigned.crt

sortie

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:N
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:172.16.0.10
Email Address []: 

Générer le Diffie-Hellman.

root@ubuntu~#: openssl dhparam -out /etc/ssl/certs/dh-stan.pem 2048

sortie

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................................................+..............................................................................................
[…]
...............................................................................................................................................................++*++*

Édition du fichier /etc/apache2/conf-available/ssl-params.conf.

root@ubuntu~#: vim /etc/apache2/conf-available/ssl-params.conf

contenu du fichier

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dh-stan.pem"

Édition du fichier /etc/apache2/sites-available/default-ssl.conf.

root@ubuntu~#: vim /etc/apache2/sites-available/default-ssl.conf

contenu du fichier

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin stan@colorado.us
                ServerName 172.16.0.10

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/stan-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/stan-selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

            <span class="text-danger">BrowserMatch "MSIE [2-6]" \
                               nokeepalive ssl-unclean-shutdown \
                               downgrade-1.0 force-response-1.0</span>

        </VirtualHost>
</IfModule>

Édition du fichier /etc/apache2/sites-available/000-default.conf.

root@ubuntu~#: vim /etc/apache2/sites-available/000-default.conf

aperçu du contenu du fichier

<VirtualHost>
[…]

        ServerAdmin stan@colorado.us
        DocumentRoot /var/www/html
        Redirect "/" "https://172.16.0.10/"

[…]
</VirtualHost>

Paramétrage du firewall

État du firewall.

root@ubuntu~#: ufw app list

Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

Autoriser le traffic en HTTPS.

root@ubuntu~#: ufw allow 'Apache Full'
root@ubuntu~#: ufw delete allow 'Apache'

Activation de SSL pour Apache2

root@ubuntu~#: a2enmod ssl
root@ubuntu~#: a2enmod headers
root@ubuntu~#: a2ensite default-ssl
root@ubuntu~#: a2enconf ssl-params

Tester la configuration de Apache.

root@ubuntu~#: apache2ctl configtest

sortie

AH00557: apache2: apr_sockaddr_info_get() failed for apache-ssl.server.local
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Redémarrage du service Apache.

root@ubuntu~#: systemctl restart apache2

Les sites de ce serveur devrait-être accessible depuis l’URL : https://172.16.0.10/.

Un fois le test concluant, rendre la redirection de http ves https permanante.

Édition du fichier /etc/apache2/sites-available/000-default.conf

root@ubuntu~#: vim /etc/apache2/sites-available/000-default.conf

aperçu du contenu du fichier

[…]

        Redirect permanent "/" "https://172.16.0.10/"

[…]
</VirtualHost>

by Nicolas SHINEY | March 28, 2018 | No Comments | Système