on Ubuntu, you won’t survive long w/o those
a2enmod headers
a2enmod ssl
and enable
systemctl restart apache2
grab some certificates and setup the daemon accordingly. and here are some details on cipher suites
cd /etc/httpd/conf/
vi certs.conf
#Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
Header always set Strict-Transport-Security "max-age=31536000"
SSLEngine on
SSLProtocol all -TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder off
SSLCipherSuite "ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES"
SSLCertificateFile /var/lib/dehydrated/certs/DOMAIN.TLD/cert.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/DOMAIN.TLD/privkey.pem
SSLCertificateChainFile /var/lib/dehydrated/certs/DOMAIN.TLD/chain.pem
Note. SSLv2 and SSLv3 and TLSv1.0 are disabled! TLS v1.1 & v1.2 are allowed!
Allow wheeled users to read the apache logs on CentOS/RHEL,
chown -R root:wheel /etc/httpd/ chmod 750 /etc/httpd/ chmod 640 /etc/httpd/*
Setup a common config headers that globally enables SSL for all the vhosts (replacing the CentOS/RHEL ssl.conf template),
cd /etc/httpd/conf.d/ ls -lhF /usr/libexec/httpd-ssl-pass-dialog ls -lhF /run/httpd/sslcache # will be created ls -lhF /dev/urandom vi 00ssl.conf Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
Setup Apache SSLProxyEngine (reverse proxying an SSL enabled service): you need to add that in the vhost config,
SSLProxyEngine On
and eventually bypass the hostname mismatch caused by the container hostname which is not an fqdn and doesn’t match with the world-facing address,
Error during SSL Handshake with remote server
like,
SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off
Error during SSL Handshake with remote server https://stackoverflow.com/questions/18872482/error-during-ssl-handshake-with-remote-server