Httpd (Application)
Jump to navigation
Jump to search
Configure HTTP server
- You need access to a well known directory structures using http and https protocols, so you need to open this structure in your webserver
Apache
- NOTE: we will use example.com an www.example.com as .. domain examples for this wiki
- If you have a redirect rule from any example.com to www.example.com, you may need to skip this rule for the well known structure
<VirtualHost *:80>
Define DOMAIN example.com
Define SITE www.${DOMAIN}
Define ROOT /srv/domain/${DOMAIN}
Define DOCROOT ${ROOT}/www
ServerName ${SITE}
DocumentRoot ${DOCROOT}
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^${SITE}
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^/(.*)$ http://www.${SITE}/$1 [L,R=301]
</IfModule>
<Directory ${DOCROOT}/.well-known/acme-challenge>
Options +Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
Define DOMAIN example.com
Define SITE ${DOMAIN}
Define ROOT /srv/domain/${DOMAIN}
Define DOCROOT ${ROOT}/www
ServerName ${SITE}
DocumentRoot ${DOCROOT}
[...] # specific www.example.com configs
</VirtualHost>
Prepare Apache configuration
- Enable SSL and configure 443 virtualhost
a2enmod ssl
- and check that something like that exists in /etc/apache2/ports.conf:
<IfModule ssl_module>
Listen 443
</IfModule>
- Restart apache BEFORE the follow changes
/etc/init.d/apache2 restart
- Now prepare the config for the future certificate (they still not exists)
<VirtualHost example.com:80>
Redirect permanent "/" "https://${SITE}/"
</VirtualHost>
<VirtualHost example.com:443>
<IfModule ssl_module>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.bundle
</IfModule>
</VirtualHost>
Obtain the free certificate
- And now we can proceed to the certificate generation (Let's Encrypt 90-days free certificate example)
mkdir -p /srv/domain/example.com/www/.well-known/acme-challenge
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
mkdir -p ~/tmp/example.com
cat > ~/tmp/example.com/getssl.cfg << EOF
CA="https://acme-v01.api.letsencrypt.org"
SANS="www.example.com"
ACL=('/srv/domain/example.com/www/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="/etc/ssl/certs/example.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/private/example.com.key"
CA_CERT_LOCATION="/etc/ssl/certs/example.com.bundle"
RELOAD_CMD="service apache2 reload"
EOF
./getssl -w ~/tmp example.com
rm -rf ~/tmp/example.com ./getssl
Benchmarking
see Http benchmark
TODO automate update of certificate validity
use getssl to update certificate validity