Skip to content

apache_ssl_16.sh

Jump to bottom
cheinle edited this page Apr 28, 2017 · 6 revisions

#! /bin/bash/

#Usage: source apache_ssh_16.sh
#Creates self-signed SSL Certificate based on DigitalOcean's guide
#(https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04#prerequisites)
#Assumes a version of Ubuntu 16 and sudo access

#Create the SSL Certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

# Create a strong Fiddie-Helman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

#Configure Apache to Use SSL
echo '# from https://cipherli.st/
       # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
       SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
       SSLProtocol All -SSLv2 -SSLv3
       SSLHonorCipherOrder On
       # Disable preloading HSTS for now. You can use the commented out header line that includes
       # the "preload" directive if you understand the implications.
       #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
       Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
       Header always set X-Frame-Options DENY
       Header always set X-Content-Type-Options nosniff
       # Requires Apache >= 2.4
       SSLCompression off
       SSLSessionTickets Off
       SSLUseStapling on
       SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

       SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" ' | sudo tee /etc/apache2/conf-available/ssl-params.conf > /dev/null

#Modify the default apache ssl virtual host file...make a backup first
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak

read -p "What is your email address? : " email
read -p "What is your server domain or ip address? : " server_domain

echo "<IfModule mod_ssl.c>
             <VirtualHost _default_:443>
                ServerAdmin $email
                ServerName $server_domain

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

                <FilesMatch \"\.(cgi|shtml|phtml|php)$\">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch \"MSIE [2-6]\" \\
                                 nokeepalive ssl-unclean-shutdown \\
                                 downgrade-1.0 force-response-1.0

            </VirtualHost>
</IfModule> " | sudo tee /etc/apache2/sites-available/default-ssl.conf > /dev/null

#Modify the unencrypted virutaul host file to redirect to https

echo "<VirtualHost *:80>
             Redirect \"/\" \"https://$server_domain/\"

             # The ServerName directive sets the request scheme, hostname and port that
             # the server uses to identify itself. This is used when creating
             # redirection URLs. In the context of virtual hosts, the ServerName
             # specifies what hostname must appear in the requests Host: header to
             # match this virtual host. For the default virtual host (this file) this
             # value is not decisive as it is used as a last resort host regardless.
             # However, you must set it for any further virtual host explicitly.
             #ServerName www.example.com

                          ServerAdmin webmaster@localhost
                          DocumentRoot /var/www/html

             # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
             # error, crit, alert, emerg.
             # It is also possible to configure the loglevel for particular
             # modules, e.g.
             #LogLevel info ssl:warn

                          ErrorLog ${APACHE_LOG_DIR}/error.log
                          CustomLog ${APACHE_LOG_DIR}/access.log combined

             # For most configuration files from conf-available/, which are
             # enabled or disabled at a global level, it is possible to
             # include a line for only one particular virtual host. For example the
             # following line enables the CGI configuration for this host only
             # after it has been globally disabled with "a2disconf".
             #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet" | sudo tee /etc/apache2/sites-available/000-default.conf > /dev/null

#Adjust firewall
sudo ufw allow 'Apache Full'
sudo ufw allow 'OpenSSH'
sudo ufw delete allow 'Apache'
sudo ufw enable

#Enable the Changes in Apache
sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo systemctl restart apache2

Home

Installation

Manual

Misc

Clone this wiki locally