Category Archives: Apache

How to get an SSL A+ rating with Apache

If you need a high rating with tests like https://www.ssllabs.com then i have an example on a working configuration that will get you the A+ score.

I’m using letsencrypt for my SSL site but you can use any certificate to get the result.

<VirtualHost *:80>
ServerName www.pvangsgaard.com
ServerAlias pvangsgaard.com
Redirect / https://www.pvangsgaard.com/
ErrorLog /var/log/apache2/pvangsgaard.com.error.log
CustomLog /var/log/apache2/pvangsgaard.com.access.log combined
</VirtualHost>
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
ServerName www.pvangsgaard.com
ServerAlias pvangsgaard.com
DocumentRoot /home/pva/public_html/pvangsgaard.com
ErrorLog /var/log/apache2/pvangsgaard.com.error.log
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLEngine on
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLHonorCipherOrder on
SSLCertificateFile    /etc/letsencrypt/live/pvangsgaard.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pvangsgaard.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/pvangsgaard.com/fullchain.pem
</VirtualHost>

Remember to enable headers with:

a2enmod headers
systemctl restart apache

I have also made an example for NGINX at this url https://www.pvangsgaard.com/2018/02/22/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-nginx/

How to configure HSTS on Apache

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.

Here is how to enable it on Apache2

1. Enable mod_headers

a2enmod headers

2. Add the additional header to the HTTPS VirtualHost directive. Max-age is measured in seconds. Put this into your VirtualHost *:443 section

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

apache | redirect from http to https

I found this guide to how to redirect http to https on the apache wiki

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

I use it within the virtualhost container like this

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

ServerAdmin webmaster@somesite.tld
ServerName somesite.tld
ServerAlias www.somesite.tld
DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined

DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined
</virtualhost>

Then you can have your ssl <virtualhost *:443> section

That ensure that if another application like wordpress wan’t to write something to .htacces then it will not we overwritten.