I've been tweaking my Apache configuration [1] for the past two days [2], trying to figure out what I need and don't need, and these are just some notes I've collected on the process. I'm using mod_md [3] for managing the secure certificates, and there isn't much out on the Intarwebs about how a configuratin for a website should look like. I can find plenty of pages that basically regurgitates the Apache documentation for mod_md, but nothing on how it all goes together. So here's an annotated version of a configuration for one of my less important sites:
<MDomainSet www.flummux.org> MDCertificateAgreement accepted MDContactEmail sean@conman.org MDMember flummux.org MDRequireHttps temporary </MDomainSet>
The required stuff. I've found that using MDomainSet is much cleaner than MDomain as I have multiple sites that I want to keep separated, certificate wise. I'm old-school when it comes to naming, so I like using the “www” prefix and prefer that to be part of the canonical name for my domains. I also support the plain domain name, but only to redirect to the “www” version of the site. If you are more hipster than I, then just reverse the domain names. I won't judge.
Given the push that “Encrypt All The Things!” has had, especially from Google, I'm expecting any month now for Google Chrome (that has, what? An 85% usage rate on the Internet?) to enable the Big Scary Error Messages on non-encrypted web requests, so I might as well go ahead and start pushing the secure versions of my sites (sigh—I really hate this bit, but I think I'm in the minority on this), thus the MDRequireHttps setting. I tried using permanent on one of my test domains and I screwed myself over when I flubbed the mod_md configuration—I can't even reach the site from my primary browser as it is now stuck for the next six months trying to reach the secure version which isn't running. Yes, I could fix this by cleaning out my cache, but that's pretty much an “all-or-nothing” option, and for a domain I almost never use, I can live with that for now. I also flubbed the configuration for that domain so bad, that I have to wait for a month before I try obtaining a certificate again.
Sigh.
<VirtualHost 71.19.142.20:80> ServerName flummux.org Redirect permanent / http://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost> <VirtualHost 71.19.142.20:80> ServerName www.flummux.org Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
Because I'm doing the MDRequireHttps directive, I've found that this is all I need for the non-secure settings, which also means I don't need to duplicate the actual server settings twice, once for the non-secure version, and again for the secure version. The first block is there to redirect http://domain requests to http://www.domain requests. I'm not redirecting directly to https: here, as the Apache documentation warns that the certificate renewal might now work [4]. And because I want the certificate renewal to work, I added acme-tls/1 to the list of protocols supported.
<VirtualHost 71.19.142.20:443> SSLEngine On ServerName flummux.org Redirect permanent / https://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
This is just to redirect https://domain requests to https://www.domain requests. I'm not sure if I really need the acme-tls/1 setting here, but I'm not taking a chance with the certificate renewal. It's not clear in the Apache documentation what would happen, and given how long I have to wait if it messes up, I'm not willing to test it.
<VirtualHost 71.19.142.20:443> SSLEngine on ServerName www.flummux.org ServerAdmin sean@conman.org DocumentRoot /home/spc/web/sites/www.flummux.org/htdocs AddHandler server-parsed .shtml AddOutputFilter INCLUDES .shtml AddOutputFilterByType DEFLATE text/html text/plain text/xml Protocols h2 h2c http/1.1 acme-tls/1 CustomLog /home/spc/web/logs/www.flummux.org combined-deflate FileETag MTime Size AddDefaultCharset UTF-8 DirectoryIndex index.cgi SetEnv LUA_PATH "/home/spc/web/sites/www.flummux.org/lua/?.lua" SetEnv LUA_CPATH "/home/spc/web/sites/www.flummux.org/lib/?.so" Header set Content-Security-Policy "style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src 'self';" ExpiresActive On ExpiresDefault "access plus 1 month" ExpiresByType text/html "modification plus 1 week" <Directory /home/spc/web/sites/www.flummux.org/htdocs> Options All AllowOverride None Require all granted </Directory> <Directory /home/spc/web/sites/www.flummux.org/htdocs/errors> Options -Indexes </Directory> ErrorDocument 404 /errors/404.shtml </VirtualHost>
And we finally get to the configuration for the site itself. Not much to say about this, except that the “Content-Security-Policy [5]” header is annoying to get right, and I'm not sure how much benefit it brings, but hey, this is a test site so I'll have to see how it goes.
So that's pretty much how I'm setting up each site I host. It's pretty straightforward, except for the sheer terror that I've made a typo and will have to wait a month before trying to obtain a secure certifcate again. You have been warned.
[1] https://httpd.apache.org/docs/2.4/
[3] https://httpd.apache.org/docs/2.4/mod/mod_md.html
[4] https://httpd.apache.org/docs/2.4/mod/mod_md.html#mdrequirehttps
[5] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy