Apache HTTP Server
We use Apache HTTP Server on the server to serve these websites.
HTTPS/TLS
This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this article. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.
Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.
What you need to know
- In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
- This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.
Configuring Apache to use your server certificate
- Open a terminal. If not already in the directory of the certificates, move into the directory now.
- We need to copy the certificates and keys into the correct places. Type the following commands:
cp key.pem /etc/apache2/ssl.key cp cert.pem /etc/apache2/ssl.crt cp csr.pem /etc/apache2/ssl.csr
- Close the terminal
- By default, on the latest Apache the next points are enabled by default and
- Open dolphin and browse to:
/etc/apache2/vhosts.d. Inside, you should find a file calledvhost-ssl.template. Copy and paste this in the same place, changing .template to .conf - Open the new file with Kwrite
- Change the following options:
ServerName thinkserver:443(replace thinkserver with hostname, FQSN or IP address, remove the # to enable)ServerAdmin webmaster@example.com(replace with your e-mail address, remove the # to enable)SSLCertificateFile /etc/apache2/ssl.crt/cert.pem(change to what you called the certificate if different)SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem(change to what you called the key if different)
- If using a firewall, make sure port 443 is open
- Restart Apache by typing in the terminal:
service apache2 restart
- Test your site by going to https://localhost
- Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.
HTTP/2 Support
Normal websites use HTTP 1.1 which was released in 1999, 17 years ago and the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security (when implemented with TLS), concurrent connections and prioitization. This makes the connection much more robust than before.
HTTP/2 is support with Apache 2.4.12 with the addition of the mod_http2 module and is natively supported from Apache 2.4.17 without mod_http2 module. In this article, we will focus on the latter.
- In the software manager in YaST, you will need to make sure that
nghttp2is installed. - Open a terminal window
- Type
sudo a2enmod http2. This will enable the built in module in Apache. - Open kwrite and open the file
/etc/apache2/httpd.conf - At the end of the file add the following lines:
Protocols h2 http/1.1 Protocols h2c http/1.1
- The first line adds support for HTTP/2 over a HTTPS connection and must be used in conjunction with a TLS certificate. This is the default use case. The second line adds support for HTTP/2 over an unencrypted HTTP connection. Not many browsers support this option if at all as it is defined that HTTP/2 is to be used with HTTPS. You may use either or both lines to suit your use case. On this server, only the first line has been enabled.
- Save the configuration file once you have added your appropriate lines
- Restart Apache by typing
sudo service apache2 restart. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.