How to Enable Https for You Website (Apache and Ubuntu)

Preface

Https is becoming more of a common standard these days. Without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM) attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always use HTTPS on production servers, and to never allow unencrypted HTTP.

Apache2 comes with built-in ssl module which is very easy to configurate.

This Guide is tested with Apache2 and Ubuntu 16.04 64bits

Update Apache2 First

I recommend upgrade your apache to this build which comes with HTTP2. HTTP2 has huge speed improvements over HTTP with multiple request. Most browsers already support HTTP2 over SSL (HTTPS).

1
2
3
4
5
6
$ sudo add-apt-repository -y ppa:ondrej/apache2
$ sudo apt-key update
$ sudo apt-get update
$ sudo apt-get --only-upgrade install apache2 -y
$ sudo a2enmod http2
$ sudo systemctl restart apache2

Enable SSL

  1. First we need to enable ssl module of Apache2.

    1
    2
    $ a2enmod ssl
    $ sudo systemctl restart apache2
  2. Then we need to edit the content of our default-ssl.conf config file. We will make a copy of the default config instead.

    1
    2
    $ sudo cp default.conf mysite.conf
    $ sudo nano mysite.conf
  3. We will need to edit these two lines in Nano to put our own ssl certificate.

    1
    2
    SSLCertificateFile /path/to/your/cert
    SSLCertificateKeyFile /path/to/your/key
  4. We will use Let’s Encrypt’s Free SSL certificate. Go to their certbot page. and choose your own server configuration. Here we will do Apache and Ubuntu 16.04. Follow the installation instruction should be good enough.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    ### Install Certbot
    $ sudo apt-get update
    $ sudo apt-get install software-properties-common
    $ sudo add-apt-repository ppa:certbot/certbot
    $ sudo apt-get update
    $ sudo apt-get install python-certbot-apache
    # Produce Key and modify apache default config
    $ sudo certbot --apache
    # If you want to modify the config yourself, just do
    $ sudo certbot --apache certonly
  5. After adding your cert to Apache2 config, open up your config file again and append a header to further improve security.

    1
    2
    3
    4
    5
    6
    $ sudo nano mysite.conf
    #and add this lines in the VirtualHost tags
    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>·
  6. We are almost finished! One more step is to redirect all traffic to our HTTPS protocol instead. This is actaully easy. Just add these lines to a new config file (or you can add to your existing config):

    1
    2
    3
    4
    5
    6
    7
    8
    9
    $ sudo nano redirect.conf
    #add these lines
    NameVirtualHost *:80
    <VirtualHost *:80>
    ServerName yourdomain
    DocumentRoot /var/www/yourdir
    Redirect permanent / https://yourdomin
    </VirtualHost>
  7. Now we are finished. Just enable the configs and restart apache.

    1
    2
    3
    $ sudo a2ensite mysite.conf
    $ sudo a2ensite redirect.conf
    $ sudo systemctl restart apache2

Ref

大佬请我喝维他柠檬茶吧 Buy me some Vita lemon tea!