====== Ubuntu 14.04 mit Apache und SSL ======
===== HTTPS mit Apache auf Ubuntu - Kurzfassung =====
* [[::EDV:ssl-schluessel_generieren#im_apache_https_aktivieren]]
- ''aptitude install apache2 php5''
- ''a2enmod php5 rewrite status info''
- ''vi /etc/apache2/mods-enabled/status.conf''
- ''Allow from 192.168.0.0/16''
- [[http://server.de/server-status]]
- ''vi /etc/apache2/mods-enabled/info.conf''
- ''Allow from 192.168.0.0/16''
- [[http://server.de/server-info]]
- ''service apache2 restart''
- Der SSL-Schlüssel mit selbst signiertem Zertifikat generieren.
- ''openssl genrsa -out server.key 4096''
- ''openssl req -rand /dev/urandom -sha512 -new -x509 -newkey rsa:4096 -nodes -keyout server.key -keyform PEM -out server.crt -outform PEM -subj "/emailAddress=benutzer@server.de/C=DE/ST=Hessen/L=Frankfurt/O=Firma/OU=Abteilung/CN=server.de" -days 7000''
- ''chmod 0600 server.*''
- ''openssl x509 -noout -subject -issuer -dates -in server.crt''
- ''mv server.crt /etc/ssl/certs/server.crt''
- ''mv server.key /etc/ssl/private/server.key''
- ''vi /etc/apache2/sites-available/default-ssl''
- ''SSLCertificateFile /etc/ssl/certs/server.crt''
- ''SSLCertificateKeyFile /etc/ssl/private/server.key''
- ''a2ensite default-ssl''
- ''a2enmod ssl''
- ''service apache2 restart''
===== komplette Konfiguration =====
==== Vorbereitungen ====
> locale-gen de_DE.UTF-8
> dpkg-reconfigure locales
> aptitude install apache2
> a2dismod cache_disk
> a2enmod cache
> a2enmod socache_memcache
> a2enmod rewrite
> a2enmod ssl
> mkdir -p /etc/apache2/ssl
> openssl req -rand /dev/urandom -sha512 -newkey rsa:4096 -nodes -new -x509 -days 3650 -out /etc/apache2/ssl/server.pem -keyout /etc/apache2/ssl/server.pem
> chmod 600 /etc/apache2/ssl/server.pem
> ln -sf /etc/apache2/ssl/server.pem /etc/apache2/ssl/$(/usr/bin/openssl x509 -noout -hash -in /etc/apache2/ssl/server.pem).0
CRT ansehen:
> openssl x509 -noout -text -in /etc/apache2/ssl/server.pem
> vi /etc/apache2/mods-enabled/ssl.conf
SSLCompression off
...
#SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5
SSLCipherSuite TLSv1.2
...
SSLHonorCipherOrder on
...
#SSLProtocol all
SSLProtocol -ALL +TLSv1.2
...
> rm /etc/apache2/sites-enabled/*
> vi /etc/apache2/ports.conf
mit [[http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html|Rewrite]] eine Portweiterleitung [[https://wiki.apache.org/httpd/RewriteHTTPToHTTPS|80 -> 443]] einrichten:
> vi /etc/apache2/sites-enabled/extras.conf
HostnameLookups Off
UseCanonicalName Off
ServerSignature Off
#------------------------------------------------------------------------------#
#
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
#
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
#------------------------------------------------------------------------------#
Options FollowSymlinks
#AllowOverride None
AllowOverride All
Require all granted
> cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/server.conf
> vi /etc/apache2/sites-enabled/server.conf
...
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/apache2/ssl/server.pem
...
> service apache2 restart