First, I will give an example of setting up HTTPS in Apache using a self-signed key.
Let’s create a key and a certificate:
openssl req -new -x509 -days 365 -keyout server.key -out server.pem
When asked “Enter PEM pass phrase:”, enter the password and remember it. For the rest of the questions, you can simply press Enter agreeing with the proposed options, only for the question “Common Name (e.g. server FQDN or YOUR name):” enter the name of the site for which the certificate is created, for example www.ixnfo.com.
After answering the questions, two files server.pem and server.crt (key and certificate) will appear in the directory.
Apache will ask for the password from the key that we entered earlier when loading, so we remove the password from the key:
cp server.key{,.orig} openssl rsa -in server.key.orig -out server.key rm server.key.orig
Copy the files to the /etc/ssl directory and set the key file to read only for the administrator:
sudo cp server.pem /etc/ssl/certs/ sudo cp server.key /etc/ssl/private/ sudo chmod 0600 /etc/ssl/private/server.key
We activate the apache2 ssl module:
sudo a2enmod ssl
Turn on the default-ssl settings:
sudo a2ensite default-ssl
Let’s edit the settings file /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile /etc/ssl/certs/server.pem SSLCertificateKeyFile /etc/ssl/private/server.key
Restart Apache2 for the changes to take effect:
sudo service apache2 restart
The HTTPS protocol works on port 443, if a firewall is used, then this port must be opened.
If you need to use only HTTPS and disable HTTP, then activate mod_rewrite:
sudo a2enmod rewrite
And edit the file /etc/apache2/sites-enabled/000-default.conf:
<VirtualHost *:80> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost>
Restart Apache2 again for the changes to take effect:
sudo service apache2 restart
Now, for example, when you open the address http://www.ixnfo.com, the server will automatically redirect to https://www.ixnfo.com.
I will give another example of a configuration file for a site (for example, all http requests and requests from the www subdomain are redirected to the ixnfo.com domain):
<VirtualHost *:80> ServerAdmin test@ixnfo.com ServerName ixnfo.com ServerAlias www.ixnfo.com Redirect / https://ixnfo.com/ ErrorLog /var/log/apache2/ixnfo_http_error.log LogLevel crit CustomLog /var/log/apache2/ixnfo_http_access.log combined </VirtualHost> <VirtualHost *:443> ServerAdmin test@ixnfo.com ServerName www.ixnfo.com Redirect / https://ixnfo.com/ ErrorLog ${APACHE_LOG_DIR}/ixnfo_www_https_error.log CustomLog ${APACHE_LOG_DIR}/ixnfo_www_https_access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.ixnfo.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.ixnfo.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.ixnfo.com/chain.pem </VirtualHost> <VirtualHost *:443> ServerAdmin test@ixnfo.com ServerName ixnfo.com DocumentRoot /var/www/ixnfo/ ErrorLog ${APACHE_LOG_DIR}/ixnfo_https_error.log CustomLog ${APACHE_LOG_DIR}/ixnfo_https_access.log combined SSLEngine on SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCertificateFile /etc/letsencrypt/live/ixnfo.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/ixnfo.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/ixnfo.com/chain.pem </VirtualHost>
How to install a signed certificate, see my article:
Installing Certbot in Ubuntu
After setting up HTTPS, I recommend checking some services, for example:
https://www.fairssl.net/en/ssltest
See also my articles:
IPTables rules for the web server
The problem with multiple SSL on the same IP