Httpd (Application)

From campisano.org
Jump to navigation Jump to search

Configure HTTP server

  • You need access to a well known directory structures using http and https protocols, so you need to open this structure in your webserver

Apache

  • NOTE: we will use example.com an www.example.com as .. domain examples for this wiki
  • If you have a redirect rule from any example.com to www.example.com, you may need to skip this rule for the well known structure
<VirtualHost *:80>
    Define DOMAIN example.com
    Define SITE www.${DOMAIN}
    Define ROOT /srv/domain/${DOMAIN}
    Define DOCROOT ${ROOT}/www
    
    ServerName ${SITE}
    DocumentRoot ${DOCROOT}

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_HOST} ^${SITE}
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule ^/(.*)$ http://www.${SITE}/$1 [L,R=301]
    </IfModule>

    <Directory ${DOCROOT}/.well-known/acme-challenge>
        Options +Indexes
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    Define DOMAIN example.com
    Define SITE ${DOMAIN}
    Define ROOT /srv/domain/${DOMAIN}
    Define DOCROOT ${ROOT}/www
    
    ServerName ${SITE}
    DocumentRoot ${DOCROOT}

    [...] # specific www.example.com configs
    
</VirtualHost>

Prepare Apache configuration

  • Enable SSL and configure 443 virtualhost
a2enmod ssl
  • and check that something like that exists in /etc/apache2/ports.conf:
<IfModule ssl_module>
        Listen 443
</IfModule>
  • Restart apache BEFORE the follow changes
/etc/init.d/apache2 restart
  • Now prepare the config for the future certificate (they still not exists)
<VirtualHost example.com:80>
    Redirect permanent "/" "https://${SITE}/"
</VirtualHost>

<VirtualHost example.com:443>
    <IfModule ssl_module>
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/example.com.crt
        SSLCertificateKeyFile /etc/ssl/private/example.com.key
        SSLCertificateChainFile /etc/ssl/certs/example.com.bundle
    </IfModule>
</VirtualHost>

Obtain the free certificate

mkdir -p /srv/domain/example.com/www/.well-known/acme-challenge
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
mkdir -p ~/tmp/example.com
cat > ~/tmp/example.com/getssl.cfg << EOF
CA="https://acme-v01.api.letsencrypt.org"
SANS="www.example.com"
ACL=('/srv/domain/example.com/www/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="/etc/ssl/certs/example.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/private/example.com.key"
CA_CERT_LOCATION="/etc/ssl/certs/example.com.bundle"
RELOAD_CMD="service apache2 reload"
EOF
./getssl -w ~/tmp example.com
rm -rf ~/tmp/example.com ./getssl

Benchmarking

see https://httpd.apache.org/docs/2.4/programs/ab.html

TODO automate update of certificate validity

use getssl to update certificate validity

References