Tag Archives: SSL

How to configure HSTS on Apache

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.

Here is how to enable it on Apache2

1. Enable mod_headers

a2enmod headers

2. Add the additional header to the HTTPS VirtualHost directive. Max-age is measured in seconds. Put this into your VirtualHost *:443 section

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

How to get an A+ Rating with 100% score on the SSLLabs Test with NGINX

It can be a challange to get an A+ rating on a SSLLabs test, but i have done a configuration below that you are welcome to steal.

listen   443;

        ssl    on;
        ssl_prefer_server_ciphers on;
        ssl_session_cache    shared:SSL:50m;
        ssl_session_timeout  10m;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000";
        ssl_certificate    /etc/nginx/ssl/pvangsgaard.com.pem;
        ssl_protocols       TLSv1.1 TLSv1.2;
        ssl_ecdh_curve secp384r1;
        ssl_certificate_key    /etc/nginx/ssl/pvangsgaard.com.key;

My pem file is just a text file containing the signed certificate and a SSL bundle.

To generate your dhparam.pem file, run in the terminal

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

apache | redirect from http to https

I found this guide to how to redirect http to https on the apache wiki


I use it within the virtualhost container like this

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

ServerAdmin webmaster@somesite.tld
ServerName somesite.tld
ServerAlias www.somesite.tld
DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined

DocumentRoot /home/somesite/public_html

ErrorLog /var/log/apache2/somesite.tld-error.log
CustomLog /var/log/apache2/somesite.tld-access.log combined

Then you can have your ssl <virtualhost *:443> section

That ensure that if another application like wordpress wan’t to write something to .htacces then it will not we overwritten.

SSL | Generate self-signed certificate and key in one line

If you need a quick self-signed certificate, you can create a key/pair, sign it in just one line.

openssl req -subj '/O=Company Name/CN=domain.com/C=US' -new -newkey rsa:2048 -days 1095 -nodes -x509 -keyout server.key -out server.crt

Replace Company Name, Domain with your own.

I would also recommend calling the server keys something like domain.tld.key/crt

This certificate will expire after 3 years (1095 days)