• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS

By Abhishek Ghosh May 24, 2018 9:45 am Updated on May 24, 2018

How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS

Advertisement

As Ubuntu 16.04 LTS has been upgraded with new LTS version 18.04, we need to upgrade some of our older guides intended for relatively unused. In previous guide, we have shown steps to install Percona MySQL server on Ubuntu 18.04 LTS. Here is Detailed Guide on How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS With Commands and Configurations For Most Secured Setup. Of course, we have Apache2 installation guide for Ubuntu 16.04 With Let’s Encrypt, HTTP/2, HSTS as well. If you search our site with the keyword “Apache2”, you’ll get many optimization guides. We tried to keep this guide as easy yet detailed as possible.

We are assuming a 2GB RAM cloud server running LAMP (Apache, MyQL, PHP) and providing the settings. You should adjust the settings based on RAM and performance.

 

Steps To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS

 

To install Let’s Encrypt free SSL/TLS certificate, you need to point the domain under question, for example jima.in to the server IP from DNS service you are using, like Hurricane Electric DNS, or paid DNS like Rage4 DNS or Dyn DNS. Make sure about DNS propagation. In an earlier article, we discussed about DNS CA record and example of Dyn DNS for implementation of DNS CA record. If you do not allow Let’s Encrypt from DNS, nothing will happen. But if you block Let’s Encrypt by not mentioning on DNS CA record, Let’s Encrypt tool will fail. There are various formats of TLS certificate, which are for the advanced users, like ECC SSL (ECDSA) Certificate. We are not showing such way but writing basic method which is enough robust. Definitely, you should try different tweaks later.

Advertisement

---

We will install Apache2 from Ondřej Surý’s PPA, which tweaked version :

Vim
1
2
3
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/apache2
# hit enter/return key to accept

Run :

Vim
1
2
apt update -y
apt upgrade -y

Your OpenSSL will get upgraded from Ondřej Surý’s mixture formula. Now proceed to install Apache2 :

Vim
1
sudo apt-get install apache2

Active some needed modules :

Vim
1
2
3
4
5
6
a2enmod http2
systemctl restart apache2
a2enmod ssl
systemctl restart apache2
a2ensite default-ssl
systemctl restart apache2

Now, we need to add the PPA of Cert Bot (historically Cert Bot was Let’s Encrypt) :

Vim
1
2
3
4
sudo add-apt-repository ppa:certbot/certbot
apt update -y
apt upgrade -y
sudo apt install python-certbot-apache

Open :

Vim
1
nano /etc/apache2/apache2.conf

Find the line KeepAlive (CTRL+W gives search option on Nano). The settings will be :

Vim
1
2
3
KeepAlive On
MaxKeepAliveRequests 50
KeepAliveTimeout 5

Here is reference :

Vim
1
https://httpd.apache.org/docs/2.4/mod/core.html#keepalive

Now open :

Vim
1
nano /etc/apache2/mods-available/mpm_prefork.conf

Apache has two main multi-processing module (MPM) – prefork module and event module. We are making prefork tweaked and activated. Keep the settings like below :

Vim
1
2
3
4
5
6
7
<IfModule mpm_prefork_module>
        StartServers            4
        MinSpareServers         3
        MaxSpareServers         40
        MaxRequestWorkers       200
        MaxConnectionsPerChild  10000
</IfModule>

Disable the event module, enable prefork and restart Apache2 :

Vim
1
2
sudo a2dismod mpm_event
sudo a2enmod mpm_prefork

Now, go to /etc/apache2/sites-available/ and run an ls -al :

Vim
1
2
cd /etc/apache2/sites-available/
ls -al

There will be two files – 000-default.conf and default-ssl.conf. Run cat command on each files, you’ll see the well documented examples. It is practical to copy the default files to meaningful ones:

Vim
1
2
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-jima.in.conf
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/jima.in-ssl.conf

How To Install Apache2 on Ubuntu 18-04 With Let-s Encrypt HTTP-2 HSTS

You have to configure handle :

Vim
1
2
3
4
http://jima.in
http://www.jima.in
https://www.jima.in
https://jima.in

It is practical to have four files with understandable name for each. You can activate any configuration with this command :

Vim
1
sudo a2ensite jima.in-ssl.conf

You can deactivate any configuration with this command :

Vim
1
sudo a2dissite 000-default.conf

You have to reload following that action :

Vim
1
sudo systemctl reload apache2

You can always test configuration with :

Vim
1
sudo apache2ctl configtest

For one site, default /var/www/html directory is enough. For multiple sites, you need to create directories :(unless)

Vim
1
2
3
sudo mkdir -p /var/www/html/jima.in
sudo chown -R www-data:www-data /var/www/html/jima.in
sudo chmod -R 755 /var/www/html/jima.in

You can put some sample index.html page using nano inside that directory. Your directory path should reflect on configuration files like jima.in-ssl.conf.

This is a basic HTML page :

Vim
1
2
3
4
5
6
7
8
<html>
    <head>
        <title>Well Done!</title>
    </head>
    <body>
        <h1>Success! You created server block!</h1>
    </body>
</html>

After those basic setup, you need to run this command to generate TLS certificate :

Vim
1
sudo certbot --apache -d jima.in -d www.jima.in

Now, let us edit that jima.in-ssl.conf file :

Vim
1
2
3
4
5
6
7
8
9
10
11
<IfModule mod_ssl.c>
<VirtualHost *:443>
Protocols http/1.1 h2
       ServerName jima.in
       ServerAdmin webmaster@localhost
       DocumentRoot /var/www/html/jima.in
 
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/jima.in/fullchain.pem
...

Now, if you test somewhere for HTTP/2, you’ll get it. For adding different headers, you need to activate a module :

Vim
1
a2enmod headers

Restart Apache2 to take effect :

Vim
1
2
systemctl restart apache2
# sudo systemctl restart apache2.service

Open /etc/letsencrypt/options-ssl-apache.conf file :

Vim
1
nano /etc/letsencrypt/options-ssl-apache.conf

That file should look like this :

Vim
1
2
3
4
5
6
7
8
SSLEngine on
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          (find latest cipher suitable for you and add here)
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

We will generate Diffie-Hellman key (the command will take time to end) :

Vim
1
2
3
4
cd /etc/ssl/private/
# mdir -p /etc/ssl/private/
# cd /etc/ssl/private/
sudo openssl dhparam -out dhparam.pem 2048

We can wget this certificate for OSCP stapling :

Vim
1
2
cd /etc/ssl/private/
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

You need to read our previous guides on HTTP Public Key Pinning (HPKP), previous Apache2’s guide, OCSP Stapling, OCSP Stapling error prevention etc articles.

Only run :

Vim
1
apachectl -t

…after each changes you will add to configuration file like our jima.in-ssl.conf file.

That jima.in-ssl.conf file will look like this :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<IfModule mod_ssl.c>
<VirtualHost *:443>
Protocols http/1.1 h2
       ServerName jima.in
       ServerAdmin webmaster@localhost
       DocumentRoot /var/www/html/jima.in
 
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/jima.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jima.in/privkey.pem
### For paid SSL follow their guide for cert installation
# SSLCertificateFile /etc/ssl/private/public.crt
# SSLCertificateKeyFile /etc/ssl/private/private.key
# SSLCertificateChainFile /etc/ssl/private/intermediate.crt
### End third party SSL cert block
 
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Include /etc/letsencrypt/options-ssl-apache.conf
 
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/html>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
 
</VirtualHost>
 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

If you want Expect CT Header, then the block will look like :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
...
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains'
Header set X-XSS-Protection "1; mode=block"
Header set Expect-CT "enforce; max-age=3600"
Header set Referrer-Policy "origin"
FileETag None
Include /etc/letsencrypt/options-ssl-apache.conf
 
    <Directory />

Work slowly and make them working. After work, test on :

Vim
1
2
https://www.ssllabs.com/ssltest/analyze.html
https://securityheaders.io

Of course you can use HTTP/2 server push feature with Apache2.

Always keep your settings files somewhere like on GitHub as repo. Unless you have whole server backup, their loss is a terrific loss. If you face trouble in setup, ask on StackExchange, ServerFault like Q&A sites pointing what step you have messed up. Apache2 is heavily used webserver and whole earth knows about common errors.

Tagged With how to install an origin ca certificate in apache 2 4 , letsencrypt ubuntu 18 , apache2 und letsencrypt ubuntu 18 04 , ubuntu 17 letsencrypt , Setup apache2 https ubuntu Windows CA , ubuntu 18 apache enable a2ensite ssl , Apache2 HTTP/2 , lets encrypt apache on ubuntu 18 04 , apache 2 ubuntu 18 lets encrypt , ubuntu lets encrypt add site

This Article Has Been Shared 789 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS

  • WordPress XML-RPC Attack & Fake PHP5-FPM Error

    WordPress XML-RPC Attack Can Bring DDoS Resulting in Random 502 PHP5-FPM Errors on Nginx Server or Can Make the Database Down. Here is Fix.

  • Setup SFTP Without Shell Access For WordPress, Cloud Server

    Often We Need To Host Account On VPS OR Cloud Server Where It Is Desired To Have A Setup SFTP Without Shell Access For WordPress Like cPanel.

  • How to Install Virtualmin/Webmin on Ubuntu 16.04

    Many Users Want A Free cPanel Like Web Hosting Control Panel. Virtualmin is Free. Here is How to Install Virtualmin/Webmin on Ubuntu 16.04.

  • Best Tools For Web Server Log Processing & Statistics Running WordPress

    Commonly We Run One Server One WordPress Website Setup. Here Are Some Best Tools For Web Server Log Processing & Statistics Running WordPress Which Are Self-Hosted.

  • How to Install Silex : Static Website Builder on Ubuntu Server

    Silex is a F/OSS Static Website Editor Intended to be Accessed via Browser to Host Sites on Cloud Storages. Here is How to Install Silex Static Website Builder on Ubuntu Server.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Online Dating: How to Find Your Match March 20, 2023
  • Web Design Cookbook: Logo March 19, 2023
  • How Starlink Internet Works March 17, 2023
  • The Importance of a Camera Tracking System in Virtual Production March 15, 2023
  • Understanding the Key Differences between Docker and OpenVZ March 14, 2023

About This Article

Cite this article as: Abhishek Ghosh, "How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS," in The Customize Windows, May 24, 2018, March 21, 2023, https://thecustomizewindows.com/2018/05/apache2-ubuntu-18-04-lets-encrypt-http-2-hsts/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT