Apache SSL

Here is a non-SSL Apache virtual host.

<VirtualHost *:80>
    ServerName serverok.in
    ServerAdmin [email protected]
    DocumentRoot /home/serverok.in/html
    CustomLog ${APACHE_LOG_DIR}/serverok.in.log combined
    <Directory "/home/serverok.in/html">
        Options All
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

To convert it to SSL VirtualHost, first change the port to 443

Find

<VirtualHost *:80>

Replace with

<VirtualHost *:443>

Add the above Directory entry

SSLEngine on
SSLCertificateFile /etc/ssl/DOMAIN.crt
SSLCertificateKeyFile /etc/ssl/DOMAIN.key

The resulting VirtualHost will look like

<VirtualHost *:443>
    ServerName serverok.in
    ServerAdmin [email protected]
    DocumentRoot /home/serverok.in/html
    CustomLog ${APACHE_LOG_DIR}/serverok.in.log combined
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCertificateFile /etc/ssl/serverok.in.crt
    SSLCertificateKeyFile /etc/ssl/serverok.in.key
    <Directory "/home/serverok.in/html">
        Options All
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

For added security, you can use the following config

SSLEngine on
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:!DSS

Enable mod_ssl

If you get the following error

Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

You need to enable mod_ssl, to do this, run

On Debian/Apache, run

sudo a2enmod ssl

Restart Apache

sudo service apache2 restart

Force SSL

You can add the following code to Apache virtualhost for the website

Redirect 301 / https://domain.ltd/

ssl

apache

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *