Apache HTTP Server: Difference between revisions
Created page, merged Securing Apache with an SSL/TLS certificate article here |
m →HTTP/2 Support: Updated what is needed to support HTTP/2, spell checked |
||
Line 39: | Line 39: | ||
== HTTP/2 Support == | == HTTP/2 Support == | ||
Normal websites use HTTP 1.1 which was released in 1999, 17 years ago and the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security | Normal websites use HTTP 1.1 which was released in 1999, 17 years ago and the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before. | ||
HTTP/2 is | HTTP/2 is supported with Apache 2.4.12 with the addition of the mod_http2 module. It is natively supported with Apache >2.4.17 without the mod_http2 module. In this article, we will focus on the latter. | ||
* In the software manager in YaST, you will need to make sure that <code> | There are a few prerequisites that are required for HTTP/2 to work: | ||
* You must have a valid TLS certificate setup and working correctly. | |||
* If you are using PHP, it must be implemented by the FPM method. Using mod_php[x] will disable HTTP/2. | |||
To enable HTTP/2: | |||
* In the software manager in YaST, you will need to make sure that <code>libnghttp2-14</code> shared library is installed. | |||
* Open a terminal window | * Open a terminal window | ||
* Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache. | * Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache. | ||
* Open kwrite and open the file <code>/etc/apache2/httpd.conf</code> | * Open kwrite and open the file <code>/etc/apache2/httpd.conf</code> | ||
* At the end of the file add the following | * At the end of the file add the following line: | ||
Protocols h2 http/1.1 | Protocols h2 http/1.1 | ||
* Save the configuration file once you have added your appropriate lines | * Save the configuration file once you have added your appropriate lines | ||
* Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem. | * Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem. |
Revision as of 03:20, 15 June 2018
We use Apache HTTP Server on the server to serve these websites.
HTTPS/TLS
This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this article. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.
Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.
What you need to know
- In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
- This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.
Configuring Apache to use your server certificate
- Open a terminal. If not already in the directory of the certificates, move into the directory now.
- We need to copy the certificates and keys into the correct places. Type the following commands:
cp key.pem /etc/apache2/ssl.key cp cert.pem /etc/apache2/ssl.crt cp csr.pem /etc/apache2/ssl.csr
- Close the terminal
- By default, on the latest Apache the next points are enabled by default and
- Open dolphin and browse to:
/etc/apache2/vhosts.d
. Inside, you should find a file calledvhost-ssl.template
. Copy and paste this in the same place, changing .template to .conf - Open the new file with Kwrite
- Change the following options:
ServerName thinkserver:443
(replace thinkserver with hostname, FQSN or IP address, remove the # to enable)ServerAdmin webmaster@example.com
(replace with your e-mail address, remove the # to enable)SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
(change to what you called the certificate if different)SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem
(change to what you called the key if different)
- If using a firewall, make sure port 443 is open
- Restart Apache by typing in the terminal:
service apache2 restart
- Test your site by going to https://localhost
- Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.
HTTP/2 Support
Normal websites use HTTP 1.1 which was released in 1999, 17 years ago and the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.
HTTP/2 is supported with Apache 2.4.12 with the addition of the mod_http2 module. It is natively supported with Apache >2.4.17 without the mod_http2 module. In this article, we will focus on the latter.
There are a few prerequisites that are required for HTTP/2 to work:
- You must have a valid TLS certificate setup and working correctly.
- If you are using PHP, it must be implemented by the FPM method. Using mod_php[x] will disable HTTP/2.
To enable HTTP/2:
- In the software manager in YaST, you will need to make sure that
libnghttp2-14
shared library is installed. - Open a terminal window
- Type
sudo a2enmod http2
. This will enable the built in module in Apache. - Open kwrite and open the file
/etc/apache2/httpd.conf
- At the end of the file add the following line:
Protocols h2 http/1.1
- Save the configuration file once you have added your appropriate lines
- Restart Apache by typing
sudo service apache2 restart
. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.