HTTPS for Apache on RHEL and CentOS
These commands were tested on default installations of CentOS Stream 8 and Rocky Linux 8.5 in May 2022. CentOS 7 repositories do not currently have the latest version of Apache to support TLSv1.3 and will not work. If you experience issues, Contact Ryan and report an issue
(Optional) Upgrade Packages
Make sure your machine has the latest packages installed and reboot.
sudo yum update -y; sudo reboot;
Upload Site Files
For example purposes, we'll add one static file. You can download your own site's files instead if you have some.
sudo mkdir -p /usr/share/httpd/example.com/public; echo "
HTTPS Site" | sudo tee /usr/share/httpd/example.com/public/index.html;
Generate Diffie-Hellman Parameters
We generate a new set of parameters unique to your machines. This improves security because usually a default set of DH parameters are used by everyone that installs Apache. We'll use this file in a little bit.
# Generate Diffie-Hellman Parameters sudo openssl dhparam -out /etc/pki/tls/dhparam.pem 2048;
Copy TLS Certificate Files
Here we copy the needed TLS key and certificate files from previous lessons. Then we ensure the permissions are correct on both files. You might need to upload your certificate files onto the machine if you bought a certificate or generated a free certificate on another machine.
# Edit the file names to something that # makes sense in your situation. # Copy Your TLS Key cp MY_CERTIFICATE.key /etc/pki/tls/private/MY_CERTIFICATE.key; chmod 600 /etc/pki/tls/private/MY_CERTIFICATE.key; # Copy Your TLS Certificate cp MY_CERTIFICATE.pem /etc/pki/tls/certs/MY_CERTIFICATE.pem; chmod 644 /etc/pki/tls/certs/MY_CERTIFICATE.pem;
We install Apache and remove its default site configuration files. We'll be adding our own site configuration soon, and don't need the default files.
# Install Apache sudo yum install -y httpd mod_ssl; # Remove Default Configurations sudo rm /etc/httpd/conf.d/autoindex.conf; sudo rm /etc/httpd/conf.d/userdir.conf; sudo rm /etc/httpd/conf.d/welcome.conf; sudo rm /etc/httpd/conf.d/ssl.conf; # Want to Check Apache Version? # httpd -v; # # CentOS Stream 8 # Server version: Apache/2.4.37 (centos) # Server built: Apr 6 2022 14:54:37 # # Rocky # Server version: Apache/2.4.37 (rocky) # Server built: Mar 24 2022 17:33:25
Listen for HTTP and HTTPS Requests
By default, Apache (httpd) will only be listening on port 80 for HTTP requests. So, we swap the "Listen 80" line for "Listen 80 (new line) Listen 443" to also listen on port 443 for HTTPS requests.
# Listen on 80 AND 443 sed -i "s/^Listen.*/Listen 80\nListen 443/g" /etc/httpd/conf/httpd.conf;
Now we disable showing the Apache version and signatures when it responds. This is information that can be used to identify your site as vulnerable and can be used in a targeted attack.
echo "ServerTokens ProductOnly" | sudo tee -a /etc/httpd/conf.modules.d/security.conf; echo "ServerSignature Off" | sudo tee -a /etc/httpd/conf.modules.d/security.conf;
HTTP to HTTPS Redirect
For our first site configuration, we redirect any insecure HTTP traffic on port 80 to HTTPS. Pay close attention to the highlighted lines and make changes so it matches your domain.
# Filename: /etc/httpd/conf.d/example.com.http.conf <VirtualHost *:80> ServerName example.com DocumentRoot /usr/share/httpd/example.com/public Redirect 301 / https://example.com/ </VirtualHost>
Now we add the main HTTPS site configuration. Here's the full configuration file, and we'll break it down section by section. Pay close attention to the highlighted lines and make changes so it matches your domain.
Line 12: We're specifying Apache should use the unique DH Parameters we generated earlier.
Lines 16-19: For enhanced security at the risk of your site breaking for some visitors, you can use the stronger ciphers instead.
Line 25: When you're sure everything is working, you can enable this line to increase your site's grade on Qualys' SSLLabs from an "A" to an "A+" rating.
# Filename: /etc/httpd/conf.d/example.com.https.conf <IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com DocumentRoot /usr/share/httpd/example.com/public # TLS SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.3 SSLCertificateFile /etc/pki/tls/certs/MY_CERTIFICATE.pem SSLCertificateKeyFile /etc/pki/tls/private/MY_CERTIFICATE.key SSLOpenSSLConfCmd DHParameters "/etc/pki/tls/dhparam.pem" SSLCompression off SSLSessionTickets off SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256 # For better security, you can use only the strong ciphers below instead # But beware, it might break the site for some of your visitors #SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 # Optional # Forces TLS for all visitors for 1 year # Only enable this when you are sure everything is working well # Required for an "A+" Grade #Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" </VirtualHost> </IfModule> <Directory /usr/share/httpd/example.com> AllowOverride None Require all granted </Directory>
Testing Our Configuration
It's always a good idea to check our configurations and see if there are any errors. We do this with the command "apache2ctl configtest".
# Test the Apache configuration sudo httpd -t; # Output should be similar to: # AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message # Syntax OK
We now need to make sure Apache is running. First, we make sure Apache is "enabled" which means Apache will start on boot of the machine. Then, we "restart" Apache which will restart it if it's running or if it's not running, start it. We prefer "restart" because it works in either case.
# Run Apache automatically at boot by "enabling" it sudo systemctl enable httpd; # Start or Restart Apache Now sudo systemctl restart httpd;
Your new site should be available and running. To test it in your browser, make sure you set up a DNS "A" Record on your domain that contains your machine's IP. When you visit the domain, the site should load correctly and should also be ready to test on Qualys SSLLabs where you'll get an "A" rating! (or "A+" if you enabled the setting in the configuration).