Skip to content

Instantly share code, notes, and snippets.

@dadajuice

dadajuice/tls_self_signed.md

Created March 5, 2020 18:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dadajuice/95fa6dfa516df5004427d7091e715ed4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dadajuice/95fa6dfa516df5004427d7091e715ed4 to your computer and use it in GitHub Desktop.
Download ZIP
Configuration TLS Debian
Raw
tls_self_signed.md

TLS (self signed)

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

Entrez les informations demandées et assurez-vous d'indiquer votre adresse IP pour Common Name (e.g. server FQDN or YOUR name).

Par la suite, créez un fichier de configurations SSL

sudo vi /etc/apache2/conf-available/ssl-params.conf

Avec le contenu suivant.

# https://cipherli.st
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Faites une sauvegarde de la configuration initiale SSL et ouvrez la configuration.

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
sudo vi /etc/apache2/sites-available/default-ssl.conf

Inscrivez les informations suivantes en prenant soin de remplacer les {VARIABLES} par vos informations.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin {ADMIN_EMAIL}
                ServerName {IP_ADDRESS}
                DocumentRoot /var/www/{ROOT_PROJECT}

                <Directory /var/www/{ROOT_PROJECT}>
                    AllowOverride All
                    Require all granted
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

Activer le module SSL de Apache

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
sudo a2enmod ssl
sudo a2enconf ssl-params

Tester la configuration

sudo apache2ctl configtest # Syntax OK
sudo systemctl restart apache2
openssl s_client -connect {IP_ADDRESS}:443 # Testing

TLS (Production avec CertBot)

sudo apt-get install certbot python-certbot-apache
sudo certbot --apache
sudo certbot renew --dry-run
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment