First, I will give an example of setting up HTTPS in Apache using a self-signed key.
Let’s create a key and a certificate:
openssl req -new -x509 -days 365 -keyout server.key -out server.pem
When asked “Enter PEM pass phrase:”, enter the password and remember it. For the rest of the questions, you can simply press Enter agreeing with the proposed options, only for the question “Common Name (e.g. server FQDN or YOUR name):” enter the name of the site for which the certificate is created, for example www.ixnfo.com.
After answering the questions, two files server.pem and server.crt (key and certificate) will appear in the directory.
Apache will ask for the password from the key that we entered earlier when loading, so we remove the password from the key:
cp server.key{,.orig}
openssl rsa -in server.key.orig -out server.key
rm server.key.orig
Copy the files to the /etc/ssl directory and set the key file to read only for the administrator:
sudo cp server.pem /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/
sudo chmod 0600 /etc/ssl/private/server.key
We activate the apache2 ssl module:
sudo a2enmod ssl
Turn on the default-ssl settings:
sudo a2ensite default-ssl
Let’s edit the settings file /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/server.key
Restart Apache2 for the changes to take effect:
sudo service apache2 restart
The HTTPS protocol works on port 443, if a firewall is used, then this port must be opened.
If you need to use only HTTPS and disable HTTP, then activate mod_rewrite:
sudo a2enmod rewrite
And edit the file /etc/apache2/sites-enabled/000-default.conf:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
Restart Apache2 again for the changes to take effect:
sudo service apache2 restart
Now, for example, when you open the address http://www.ixnfo.com, the server will automatically redirect to https://www.ixnfo.com.
I will give another example of a configuration file for a site (for example, all http requests and requests from the www subdomain are redirected to the ixnfo.com domain):
<VirtualHost *:80>
ServerAdmin test@ixnfo.com
ServerName ixnfo.com
ServerAlias www.ixnfo.com
Redirect / https://ixnfo.com/
ErrorLog /var/log/apache2/ixnfo_http_error.log
LogLevel crit
CustomLog /var/log/apache2/ixnfo_http_access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin test@ixnfo.com
ServerName www.ixnfo.com
Redirect / https://ixnfo.com/
ErrorLog ${APACHE_LOG_DIR}/ixnfo_www_https_error.log
CustomLog ${APACHE_LOG_DIR}/ixnfo_www_https_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.ixnfo.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ixnfo.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.ixnfo.com/chain.pem
</VirtualHost>
<VirtualHost *:443>
ServerAdmin test@ixnfo.com
ServerName ixnfo.com
DocumentRoot /var/www/ixnfo/
ErrorLog ${APACHE_LOG_DIR}/ixnfo_https_error.log
CustomLog ${APACHE_LOG_DIR}/ixnfo_https_access.log combined
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCertificateFile /etc/letsencrypt/live/ixnfo.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ixnfo.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ixnfo.com/chain.pem
</VirtualHost>
How to install a signed certificate, see my article:
Installing Certbot in Ubuntu
After setting up HTTPS, I recommend checking some services, for example:
https://www.fairssl.net/en/ssltest
See also my articles:
IPTables rules for the web server
The problem with multiple SSL on the same IP