HTTPS / SSL Certificate setup notes for Ubuntu

General discussion of anything Unimus
Post Reply
kingtrw
Posts: 48
Joined: Sun Dec 26, 2021 8:56 pm

Mon Mar 13, 2023 1:00 pm

This is just provided in case it helps anyone else.

We had to switch our installation to using HTTPS to comply with security policies (even though it's running on an internal only dns entry) so I thought these notes might be useful. It's a very simple process of setting up an Apache2 reverse proxy.

I'm not much of a web server person so this is just what I found worked for me... your mileage may vary.

Code: Select all


# apt-get install apache2
# a2enmod ssl
# systemctl restart apache2
# systemctl status apache2
# apachectl -M | grep ssl
 
# ufw app list
# ufw allow "Apache Secure"
 
 
# cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.orig
# vim /etc/apache2/sites-available/default-ssl.conf
 
====
 
ServerAdmin someone@somewhere.org
 
SSLCertificateFile      /etc/ssl/localcert/ServerCertificate.crt
SSLCertificateKeyFile   /etc/ssl/private/privatekey.sslkey.pem
SSLCertificateChainFile /etc/ssl/localcert/ChainBundle2.crt
 
# Recommended security options
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProxyCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
====
 
# a2ensite default-ssl
# apachectl configtest
# systemctl restart apache2
 
test https://<servername.fqdn>
Default apache landing page - ok
 
Now to configure proxy
 
# a2enmod proxy
# a2enmod proxy_http
# a2enmod headers
 
# cd /etc/apache2/sites-available
# vim unimus.conf
 
====
 
<VirtualHost <serverip>:443>
        ServerName unimus.fqdn
        ServerAlias vmname.fqdn
        #ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://127.0.0.1:8085/
        ProxyPassReverse / http://127.0.0.1:8085/
  
        SSLEngine on
        SSLCertificateFile      /etc/ssl/localcert/ServerCertificate.crt
        SSLCertificateKeyFile   /etc/ssl/private/privatekey.sslkey.pem
        SSLCertificateChainFile /etc/ssl/localcert/ChainBundle2.crt
  
# SSL options as recommended
        SSLHonorCipherOrder on
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        SSLProxyCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  
        <IfModule headers_module>
        Header set Content-Security-Policy "upgrade-insecure-requests;"
        </IfModule>
</VirtualHost>
 
====
 
# a2ensite unimus
# apachectl configtest
# systemctl restart apache2
 
test https://unimus.fqdn
ok
 
remove old firewall rules for 8085

murmaider
Posts: 8
Joined: Sun Nov 13, 2016 5:03 am

Wed Jun 28, 2023 4:52 am

Thank you, this helped greatly.
Post Reply