Apache HTTP Server

Revision as of 18:23, 8 September 2020 by Sam (talk | contribs) (→‎HTTP/2 Support: Changed part stating prefork method is unavailable.)

We use Apache HTTP Server on the server to serve these websites.

HTTPS/TLS

This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this article. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.

Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.

What you need to know

  • In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
  • This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.

Configuring Apache to use your server certificate

  • Open a terminal. If not already in the directory of the certificates, move into the directory now.
  • We need to copy the certificates and keys into the correct places. Type the following commands:
 cp key.pem /etc/apache2/ssl.key/key.pem
 cp cert.pem /etc/apache2/ssl.crt/cert.pem
  • Close the terminal
  • By default, on the latest Apache the next points are enabled by default and
  • Open dolphin and browse to: /etc/apache2/vhosts.d. Inside, you should find a file called vhost-ssl.template. Copy and paste this in the same place, changing .template to .conf
  • Open the new file with Kwrite
  • Change the following options:
    • ServerName thinkserver:443 (replace thinkserver with hostname, FQSN or IP address, remove the # to enable)
    • ServerAdmin webmaster@example.com (replace with your e-mail address, remove the # to enable)
    • SSLCertificateFile /etc/apache2/ssl.crt/cert.pem (change to what you called the certificate if different)
    • SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem (change to what you called the key if different)
  • If using a firewall, make sure port 443 is open
  • Restart Apache by typing in the terminal:
 service apache2 restart
  • Test your site using https://
  • Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.

HTTP/2 Support

Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.

HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter.

There are a few prerequisites that are required for HTTP/2 to work:

  • You must have a valid TLS certificate setup and working correctly.
  • You cannot use the prefork method of loading modules into Apache. Consider tabooing the apache-prefork package. The alternatives are worker and event. We are using event. Consequently:
  • You cannot use the mod-php7 package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2.

To enable HTTP/2:

  • In the software manager in YaST, you will need to make sure that libnghttp2-14 shared library is installed.
  • Open a terminal window
  • Type sudo a2enmod http2. This will enable the built in module in Apache.
  • Open kwrite and open the file /etc/apache2/httpd.conf
  • At the end of the file add the following line:
Protocols h2 http/1.1
  • Save the configuration file once you have added your appropriate lines
  • Restart Apache by typing sudo service apache2 restart. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.

See also