Apache HTTP Server: Difference between revisions

From ThinkServer
Created page, merged Securing Apache with an SSL/TLS certificate article here
 
m Corrected header level
 
(9 intermediate revisions by the same user not shown)
Line 16: Line 16:
* We need to copy the certificates and keys into the correct places. Type the following commands:
* We need to copy the certificates and keys into the correct places. Type the following commands:


   cp key.pem /etc/apache2/ssl.key
   cp key.pem /etc/apache2/ssl.key/key.pem
   cp cert.pem /etc/apache2/ssl.crt
   cp cert.pem /etc/apache2/ssl.crt/cert.pem
  cp csr.pem /etc/apache2/ssl.csr


* Close the terminal
* Close the terminal
Line 34: Line 33:
   service apache2 restart
   service apache2 restart


* Test your site by going to https://localhost
* Test your site using https://
* Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.
* Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.
=== openSUSE 15.4 specific ===
The following line needs editing as follows to allow TLS to function in <code>/etc/sysconfig/apache2</code>:
APACHE_SERVER_FLAGS="SSL HTTP2"


== HTTP/2 Support ==
== HTTP/2 Support ==


Normal websites use HTTP 1.1 which was released in 1999, 17 years ago and the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security (when implemented with TLS), concurrent connections and prioitization. This makes the connection much more robust than before.
Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.
 
HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter.
 
There are a few prerequisites that are required for HTTP/2 to work:
 
* You must have a valid TLS certificate setup and working correctly.
* You cannot use the prefork method of loading modules into Apache. Consider tabooing the <code>apache-prefork</code> package. The alternatives are worker and event. We are using event. Consequently:
* You cannot use the prefork <code>mod-php7</code> package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2.


HTTP/2 is support with Apache 2.4.12 with the addition of the mod_http2 module and is natively supported from Apache 2.4.17 without mod_http2 module. In this article, we will focus on the latter.
To enable HTTP/2:


* In the software manager in YaST, you will need to make sure that <code>nghttp2</code> is installed.
* In the software manager in YaST, you will need to make sure that <code>libnghttp2-14</code> shared library is installed (Later versions of openSUSE have this installed already so just check).
* Open a terminal window
* Open a terminal window
* Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache.
* Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache.
'''As of at least openSUSE 15.4, the following is already done by default'''
* Open kwrite and open the file <code>/etc/apache2/httpd.conf</code>
* Open kwrite and open the file <code>/etc/apache2/httpd.conf</code>
* At the end of the file add the following lines:
* At the end of the file add the following line:
  Protocols h2 http/1.1
  Protocols h2 http/1.1
Protocols h2c http/1.1
* The first line adds support for HTTP/2 over a HTTPS connection and must be used in conjunction with a TLS certificate. This is the default use case. The second line adds support for HTTP/2 over an unencrypted HTTP connection. Not many browsers support this option if at all as it is defined that HTTP/2 is to be used with HTTPS. You may use either or both lines to suit your use case. On this server, only the first line has been enabled.
* Save the configuration file once you have added your appropriate lines
* Save the configuration file once you have added your appropriate lines
* Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.
* Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.

Latest revision as of 01:40, 13 July 2022

We use Apache HTTP Server on the server to serve these websites.

HTTPS/TLS

This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this article. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.

Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.

What you need to know

  • In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
  • This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.

Configuring Apache to use your server certificate

  • Open a terminal. If not already in the directory of the certificates, move into the directory now.
  • We need to copy the certificates and keys into the correct places. Type the following commands:
 cp key.pem /etc/apache2/ssl.key/key.pem
 cp cert.pem /etc/apache2/ssl.crt/cert.pem
  • Close the terminal
  • By default, on the latest Apache the next points are enabled by default and
  • Open dolphin and browse to: /etc/apache2/vhosts.d. Inside, you should find a file called vhost-ssl.template. Copy and paste this in the same place, changing .template to .conf
  • Open the new file with Kwrite
  • Change the following options:
    • ServerName thinkserver:443 (replace thinkserver with hostname, FQSN or IP address, remove the # to enable)
    • ServerAdmin webmaster@example.com (replace with your e-mail address, remove the # to enable)
    • SSLCertificateFile /etc/apache2/ssl.crt/cert.pem (change to what you called the certificate if different)
    • SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem (change to what you called the key if different)
  • If using a firewall, make sure port 443 is open
  • Restart Apache by typing in the terminal:
 service apache2 restart
  • Test your site using https://
  • Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.

openSUSE 15.4 specific

The following line needs editing as follows to allow TLS to function in /etc/sysconfig/apache2:

APACHE_SERVER_FLAGS="SSL HTTP2"

HTTP/2 Support

Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.

HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter.

There are a few prerequisites that are required for HTTP/2 to work:

  • You must have a valid TLS certificate setup and working correctly.
  • You cannot use the prefork method of loading modules into Apache. Consider tabooing the apache-prefork package. The alternatives are worker and event. We are using event. Consequently:
  • You cannot use the prefork mod-php7 package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2.

To enable HTTP/2:

  • In the software manager in YaST, you will need to make sure that libnghttp2-14 shared library is installed (Later versions of openSUSE have this installed already so just check).
  • Open a terminal window
  • Type sudo a2enmod http2. This will enable the built in module in Apache.

As of at least openSUSE 15.4, the following is already done by default

  • Open kwrite and open the file /etc/apache2/httpd.conf
  • At the end of the file add the following line:
Protocols h2 http/1.1
  • Save the configuration file once you have added your appropriate lines
  • Restart Apache by typing sudo service apache2 restart. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.

See also