HTTPS / SSL Certificate setup notes for Ubuntu
Posted: Mon Mar 13, 2023 1:00 pm
This is just provided in case it helps anyone else.
We had to switch our installation to using HTTPS to comply with security policies (even though it's running on an internal only dns entry) so I thought these notes might be useful. It's a very simple process of setting up an Apache2 reverse proxy.
I'm not much of a web server person so this is just what I found worked for me... your mileage may vary.
We had to switch our installation to using HTTPS to comply with security policies (even though it's running on an internal only dns entry) so I thought these notes might be useful. It's a very simple process of setting up an Apache2 reverse proxy.
I'm not much of a web server person so this is just what I found worked for me... your mileage may vary.
Code: Select all
# apt-get install apache2
# a2enmod ssl
# systemctl restart apache2
# systemctl status apache2
# apachectl -M | grep ssl
# ufw app list
# ufw allow "Apache Secure"
# cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.orig
# vim /etc/apache2/sites-available/default-ssl.conf
====
ServerAdmin someone@somewhere.org
SSLCertificateFile /etc/ssl/localcert/ServerCertificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.sslkey.pem
SSLCertificateChainFile /etc/ssl/localcert/ChainBundle2.crt
# Recommended security options
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProxyCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
====
# a2ensite default-ssl
# apachectl configtest
# systemctl restart apache2
test https://<servername.fqdn>
Default apache landing page - ok
Now to configure proxy
# a2enmod proxy
# a2enmod proxy_http
# a2enmod headers
# cd /etc/apache2/sites-available
# vim unimus.conf
====
<VirtualHost <serverip>:443>
ServerName unimus.fqdn
ServerAlias vmname.fqdn
#ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8085/
ProxyPassReverse / http://127.0.0.1:8085/
SSLEngine on
SSLCertificateFile /etc/ssl/localcert/ServerCertificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.sslkey.pem
SSLCertificateChainFile /etc/ssl/localcert/ChainBundle2.crt
# SSL options as recommended
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProxyCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
<IfModule headers_module>
Header set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>
</VirtualHost>
====
# a2ensite unimus
# apachectl configtest
# systemctl restart apache2
test https://unimus.fqdn
ok
remove old firewall rules for 8085