Apache HTTP Server: Difference between revisions
Created page, merged Securing Apache with an SSL/TLS certificate article here |
m Corrected header level |
||
(9 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
* We need to copy the certificates and keys into the correct places. Type the following commands: | * We need to copy the certificates and keys into the correct places. Type the following commands: | ||
cp key.pem /etc/apache2/ssl.key | cp key.pem /etc/apache2/ssl.key/key.pem | ||
cp cert.pem /etc/apache2/ssl.crt | cp cert.pem /etc/apache2/ssl.crt/cert.pem | ||
* Close the terminal | * Close the terminal | ||
Line 34: | Line 33: | ||
service apache2 restart | service apache2 restart | ||
* Test your site | * Test your site using https:// | ||
* Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence. | * Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence. | ||
=== openSUSE 15.4 specific === | |||
The following line needs editing as follows to allow TLS to function in <code>/etc/sysconfig/apache2</code>: | |||
APACHE_SERVER_FLAGS="SSL HTTP2" | |||
== HTTP/2 Support == | == HTTP/2 Support == | ||
Normal websites use HTTP 1.1 which was released in 1999, | Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before. | ||
HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter. | |||
There are a few prerequisites that are required for HTTP/2 to work: | |||
* You must have a valid TLS certificate setup and working correctly. | |||
* You cannot use the prefork method of loading modules into Apache. Consider tabooing the <code>apache-prefork</code> package. The alternatives are worker and event. We are using event. Consequently: | |||
* You cannot use the prefork <code>mod-php7</code> package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2. | |||
HTTP/2 | To enable HTTP/2: | ||
* In the software manager in YaST, you will need to make sure that <code> | * In the software manager in YaST, you will need to make sure that <code>libnghttp2-14</code> shared library is installed (Later versions of openSUSE have this installed already so just check). | ||
* Open a terminal window | * Open a terminal window | ||
* Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache. | * Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache. | ||
'''As of at least openSUSE 15.4, the following is already done by default''' | |||
* Open kwrite and open the file <code>/etc/apache2/httpd.conf</code> | * Open kwrite and open the file <code>/etc/apache2/httpd.conf</code> | ||
* At the end of the file add the following | * At the end of the file add the following line: | ||
Protocols h2 http/1.1 | Protocols h2 http/1.1 | ||
* Save the configuration file once you have added your appropriate lines | * Save the configuration file once you have added your appropriate lines | ||
* Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem. | * Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem. |
Latest revision as of 01:40, 13 July 2022
We use Apache HTTP Server on the server to serve these websites.
HTTPS/TLS
This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this article. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.
Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.
What you need to know
- In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
- This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.
Configuring Apache to use your server certificate
- Open a terminal. If not already in the directory of the certificates, move into the directory now.
- We need to copy the certificates and keys into the correct places. Type the following commands:
cp key.pem /etc/apache2/ssl.key/key.pem cp cert.pem /etc/apache2/ssl.crt/cert.pem
- Close the terminal
- By default, on the latest Apache the next points are enabled by default and
- Open dolphin and browse to:
/etc/apache2/vhosts.d
. Inside, you should find a file calledvhost-ssl.template
. Copy and paste this in the same place, changing .template to .conf - Open the new file with Kwrite
- Change the following options:
ServerName thinkserver:443
(replace thinkserver with hostname, FQSN or IP address, remove the # to enable)ServerAdmin webmaster@example.com
(replace with your e-mail address, remove the # to enable)SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
(change to what you called the certificate if different)SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem
(change to what you called the key if different)
- If using a firewall, make sure port 443 is open
- Restart Apache by typing in the terminal:
service apache2 restart
- Test your site using https://
- Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.
openSUSE 15.4 specific
The following line needs editing as follows to allow TLS to function in /etc/sysconfig/apache2
:
APACHE_SERVER_FLAGS="SSL HTTP2"
HTTP/2 Support
Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.
HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter.
There are a few prerequisites that are required for HTTP/2 to work:
- You must have a valid TLS certificate setup and working correctly.
- You cannot use the prefork method of loading modules into Apache. Consider tabooing the
apache-prefork
package. The alternatives are worker and event. We are using event. Consequently: - You cannot use the prefork
mod-php7
package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2.
To enable HTTP/2:
- In the software manager in YaST, you will need to make sure that
libnghttp2-14
shared library is installed (Later versions of openSUSE have this installed already so just check). - Open a terminal window
- Type
sudo a2enmod http2
. This will enable the built in module in Apache.
As of at least openSUSE 15.4, the following is already done by default
- Open kwrite and open the file
/etc/apache2/httpd.conf
- At the end of the file add the following line:
Protocols h2 http/1.1
- Save the configuration file once you have added your appropriate lines
- Restart Apache by typing
sudo service apache2 restart
. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.