As we said before – we are no longer supporting to install, configure Nginx but we are back to support Apache2 mainly for their odd idea to involve community to develop modules for free and distribute with paid product. Additionally, Nginx 502 error is a nightmare. Apache2 at current cost of web hosting not exactly bad. Here is a full working guided steps to setup Ubuntu 16.04 Apache2 HTTP/2, HSTS easily.
Ubuntu 16.04 Apache2 HTTP/2, HSTS : Steps
We will use ondrej’s repository for Apache2, first update and add the repo :
1 2 | sudo apt-get update sudo add-apt-repository ppa:ondrej/apache2 |
After adding the repo, again update and install Apache2 :
1 | sudo apt-get install apache2 |
To activate the http2 module, simply run :
1 | a2enmod http2 |
Next restart Apache2 :
1 2 | systemctl restart apache2 # sudo systemctl restart apache2.service |
For practical reasons, we need SSL/HTTPS, so we will take it granted that you did these steps :
1 2 3 4 5 6 | a2enmod ssl systemctl restart apache2 # sudo systemctl restart apache2.service a2ensite default-ssl systemctl restart apache2 # sudo systemctl restart apache2.service |
And for free SSL/TLS certificate, you have done something like these :
1 2 | apt-get -y install python-letsencrypt-apache apt-get -y install python-certbot-apache |
To generate SSL certificates against your domains you did these :
1 | letsencrypt --apache -d abhishekghosh.pro -d www.abhishekghosh.pro |
Then had a restart :
1 2 | systemctl restart apache2 # sudo systemctl restart apache2.service |
---
You essentially can open your website’s HTTPS version on browser without warning. If your virtual host configuration file’s name is 000-default-le-ssl.conf with this (partial) content :
1 2 3 4 5 6 7 8 9 10 11 | <IfModule mod_ssl.c> <VirtualHost *:443> ServerName abhishekghosh.pro ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem ... ... |
You should add this line :
1 | Protocols http/1.1 h2 |
here :
1 2 3 4 5 6 7 8 9 10 11 | <IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName abhishekghosh.pro ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem ... |
Ans restart Apache2 after config test :
1 2 | apachectl -t sudo systemctl restart apache2.service |
Now, if you test somewhere for HTTP/2, you’ll get it. For adding different headers, you need to activate a module :
1 | a2enmod headers |
and restart Apache2 :
1 2 | systemctl restart apache2 # sudo systemctl restart apache2.service |
We already talked about HSTS in context of Nginx.
The configuration for HSTS should look like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName abhishekghosh.pro ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/abhishekghosh.pro/privkey.pem Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" ... |
and restart Apache2 :
1 2 | systemctl restart apache2 # sudo systemctl restart apache2.service |
Example Virtual Hosts Configuration File For Ubuntu 16.04 Apache2 HTTP/2, HSTS
It is an example modern, secured setup :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | <IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName abhishekghosh.pro ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/abhishekghosh.pro/privkey.pem ### For paid SSL follow their guide for cert installation # SSLCertificateFile /etc/ssl/private/public.crt # SSLCertificateKeyFile /etc/ssl/private/private.key # SSLCertificateChainFile /etc/ssl/private/intermediate.crt ### End third party SSL cert block SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Include /etc/letsencrypt/options-ssl-apache.conf <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet </IfModule> |
We kept other settings on /etc/letsencrypt/options-ssl-apache.conf file. Which essentially has :
1 2 3 4 5 6 7 8 9 10 11 | SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite (find latest cipher suitable for you and add here) SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common |
In case we want to enable HTTP Public Key Pinning (HPKP), Expect-CT etc headers, we will add headers in this fashion :
1 2 3 4 5 6 7 8 9 10 11 12 13 | ... Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains' Header set X-XSS-Protection "1; mode=block" Header set Expect-CT "enforce; max-age=3600" Header set Referrer-Policy "origin" FileETag None Include /etc/letsencrypt/options-ssl-apache.conf <Directory /> |
Quite simple. Test on SSL Labsm Security Headers like easy to test sites :
1 2 | https://www.ssllabs.com/ssltest/analyze.html https://securityheaders.io |
Of course you can use HTTP/2 server push feature with Apache2. Please read the official docs on Apache’s site for more information.
