HTTPS for your website: deploy it!

lakukan_transaksi_yang_aman_dalam_jual-beli_online_130602

In web-technologies HTTPS tunnel (by SSL/TLS protocol) is the most popular security method. SSL assures that customers will reach requested resource and won’t be redirected to the phony site represented as origin. In place of default HTTP connection (80 port) will be HTTPS tunneling with traffic encryption.

So, let’s skip the theory. SSL protocol has much more interesting facts. Unfortunately, SSL has some problems, like conflict with external HTTP-linked content. But anyway that’s a good idea to protect your website. This tutorial is splitted on few simple steps.

0. Ingredients.


  • Webserver software. Surely, you can build SSL defence on every webserver. But this article about Apache SSL installation. Mostly, SSL has a specific external module. Just ensure you have it in your server. Also rewrite mode is required. Easy way to check it:
apache2ctl -M | grep ssl #for Ubuntu/Debian
httpd -M | grep ssl #for CentOS/RHEL
  • Certificate Authority. It’s not a question of deployment, but it’s the pinnacle of certification. Double check that chosen CA provides valid certificate. Mostly certification needs to be paid, but you can find a lot of free solutions. The main difference in term: non-paid certificates expire faster. For my source I picked Comodo. They allow free 90-day certificate, but you can find CA with 1-year term or even more.
  • OpenSSL. This utility is included in Every Linux package system OpenSSL by default. You’ll use it for next 2 steps.

1. Make primary SSL key.


File with extension .key – your personal certificate key file. There might be analogy with SSH private key. You should keep it in safe place and forbid any kind of sharing.  OpenSSL provides a simple way to generate it.

openssl genrsa 4096 > www.example.com.key #4096-number of encryption bites
chmod 400 www.example.com.key #don't forget to protect it.

2. Create CSR-request.


File with extension .csr represents your organization for fourth request. Personal organization data in file is encrypted.Use OpenSSL again.

openssl req -new -key www.example.com.key > www.example.com.csr

Generation is constitued of some questions some questions about your organization.

Country Name (2 letter code): (FR in France for example)
State or Province Name (full name) [Some-State]: (your state or province name)
Locality Name (eg, city):: (the name of your city)
Organization Name (eg, company) []: (your organization name)
Organizational Unit Name (eg, section): (enter a generic term such as "IT Department".)
Common Name (eg, YOUR name): (the name of the website to be secured)
Email Address: (let blank)
Challenge password: (let blank)
An optional company name: (let blank)

3. Go to CA and get a verified certificate files.


Sign up at CA website and proceed to verification procedure. Every authority provides few options to confirm that it’s your site. This procedure is called Domain Control Validation (DCV). There might be e-mail validation (get a validation code) or HTTP validation. I did the second one. You just need to place a simple txt-file in your web-site document root. The name of file should be MD5 hash given by CA. I means that browser can open http://yourdomain.com/Upper case value of MD5 hash of CSR.txt link. Content of file depends. For example, Comodo has the next syntax.

<Value of SHA1 hash of CSR> #given by CA
comodoca.com

After validation you’ll receive a mail that everything is fine. Pull necessary files (.crt and .ca-bundle) from this message.  File .crt is a public certificate key, .ca-bundle includes SSL chain.

4. Setup Apache SSL configuration.


SSL configuration layout depends on your Linux distro. In CentOS it’s on /etc/httpd/conf.d/ssl.conf. All you need – find out virtual hosts configuration. Basically some options included in configuration. Here is example of HTTPS vHost installation.

<VirtualHost {{ site_ip_add }}:443>

DocumentRoot "{{ site_directory }}"

ServerName example.com
ServerAlias *.example.com

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 #exclude SSL protocol encryption cause it’s insecure
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" #choice of encryption algorithms
SSLHonorCipherOrder on 

SSLCertificateFile {{ certificates_file_directory }}/{{ certificate_name }}.crt
SSLCertificateKeyFile {{ certificates_file_directory }}/{{ certificate_name }}.key
SSLCertificateChainFile {{certificates_file_directory}}/{{certificate_name}}.ca-bundle
</VirtualHost>

5. Setup main Apache configuration.


Just find out main config file and make sure you have SSL support.  In CentOS it’s a /etc/httpd/conf/httpd.conf. In Ubuntu/Debian –/etc/apache2/apache2.conf. Here is a necessary lines in your config.

<Directory {{ site_directory }}>
SSLVerifyClient optional #may be your client doesn't have HTTPS support
#some more options

</Directory>

6. Rewrite everything to HTTPS.


Alright, now Apache can build SSL protection. But all requests are still keep going to 80 HTTP port by default. Here you have to configure virtual host again. In most cases it’s stored in .htaccess file inside of DocumentRoot directory. Here is a configuration instance.

<IfModule mod_rewrite.c>
    RewriteEngine On
 RewriteCond %{HTTP_HOST} ^example.com$ [NC]
 RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
 RewriteCond %{HTTPS} off
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

7. Check Apache configuration syntax.


Absolutely you don’t want to have a downtime because of petty syntax mistake.

apachectl configtest

8. Restart Apache.


Apache (as almost any other software) accepts configuration change only after restart.

systemctl restart apache #if you're not on systemd - use service command

9. Check HTTPS connection with web-site.


Just go on your web page and check HTTPS icon and web-browser acceptance. If something’s wrong – check all steps you did before.

10. Check certificate security.


SSL certificate doesn’t guarantee connection security itself. You need to configure settings, include reliable encryption methods, exclude unreliable etc.. In virtual host configuration above I did this settings. For security checking SSLlabs is fine. They check HTTPS tunnel by connection through different encryption protocols and algorithms. If you skip weak-defended stuff – you won’t provide any opportunity to hack SSL protection.

Hope this article clarified simplicity of SSL certificate deployment. And don’t stop on this! Read about SSL features and lacks, search new options to get costless and trusty HTTPS tunnel. Shortly, pay close attention on your web-site protection.

Advertisements

One thought on “HTTPS for your website: deploy it!

  1. Pingback: How to deploy HTTPS in Wowza Streaming Engine | MyOpsBlog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s