Ubuntu 14.04 mit Apache und SSL

HTTPS mit Apache auf Ubuntu - Kurzfassung

im_apache_https_aktivieren

aptitude install apache2 php5
1. a2enmod php5 rewrite status info
  1. vi /etc/apache2/mods-enabled/status.conf
    1. Allow from 192.168.0.0/16
  2. http://server.de/server-status
  3. vi /etc/apache2/mods-enabled/info.conf
    1. Allow from 192.168.0.0/16
  4. http://server.de/server-info
2. service apache2 restart
3. Der SSL-Schlüssel mit selbst signiertem Zertifikat generieren.
  1. openssl genrsa -out server.key 4096
  2. openssl req -rand /dev/urandom -sha512 -new -x509 -newkey rsa:4096 -nodes -keyout server.key -keyform PEM -out server.crt -outform PEM -subj "/emailAddress=benutzer@server.de/C=DE/ST=Hessen/L=Frankfurt/O=Firma/OU=Abteilung/CN=server.de" -days 7000
  3. chmod 0600 server.*
  4. openssl x509 -noout -subject -issuer -dates -in server.crt
  5. mv server.crt /etc/ssl/certs/server.crt
  6. mv server.key /etc/ssl/private/server.key
4. vi /etc/apache2/sites-available/default-ssl
  1. SSLCertificateFile /etc/ssl/certs/server.crt
  2. SSLCertificateKeyFile /etc/ssl/private/server.key
5. a2ensite default-ssl
6. a2enmod ssl
7. service apache2 restart

komplette Konfiguration

Vorbereitungen

> locale-gen de_DE.UTF-8
> dpkg-reconfigure locales

> aptitude install apache2
> a2dismod cache_disk
> a2enmod cache
> a2enmod socache_memcache
> a2enmod rewrite
> a2enmod ssl

> mkdir -p /etc/apache2/ssl
> openssl req -rand /dev/urandom -sha512 -newkey rsa:4096 -nodes -new -x509 -days 3650 -out /etc/apache2/ssl/server.pem -keyout /etc/apache2/ssl/server.pem
> chmod 600 /etc/apache2/ssl/server.pem
> ln -sf /etc/apache2/ssl/server.pem /etc/apache2/ssl/$(/usr/bin/openssl x509 -noout -hash -in /etc/apache2/ssl/server.pem).0

CRT ansehen:

> openssl x509 -noout -text -in /etc/apache2/ssl/server.pem

> vi /etc/apache2/mods-enabled/ssl.conf

        SSLCompression off

        ...
        #SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5
        SSLCipherSuite TLSv1.2
        ...
        SSLHonorCipherOrder     on
        ...
        #SSLProtocol all
        SSLProtocol -ALL +TLSv1.2
        ...

> rm /etc/apache2/sites-enabled/*

> vi /etc/apache2/ports.conf

mit Rewrite eine Portweiterleitung 80 -> 443 einrichten:

> vi /etc/apache2/sites-enabled/extras.conf

HostnameLookups Off
UseCanonicalName Off
ServerSignature Off

#------------------------------------------------------------------------------#
#
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
#

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

#------------------------------------------------------------------------------#

<Directory "/var/www">
        Options FollowSymlinks
        #AllowOverride None
        AllowOverride All
        Require all granted
</Directory>

> cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/server.conf
> vi /etc/apache2/sites-enabled/server.conf

                ...
                #SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
                #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
                SSLCertificateFile      /etc/apache2/ssl/server.pem
                ...

> service apache2 restart