Notes on configuring Apache mod_md

I've been tweaking my Apache configuration [1] for the past two days [2], trying to figure out what I need and don't need, and these are just some notes I've collected on the process. I'm using mod_md [3] for managing the secure certificates, and there isn't much out on the Intarwebs about how a configuratin for a website should look like. I can find plenty of pages that basically regurgitates the Apache documentation for mod_md, but nothing on how it all goes together. So here's an annotated version of a configuration for one of my less important sites:

<MDomainSet www.flummux.org>
	MDCertificateAgreement	accepted
	MDContactEmail		sean@conman.org
	MDMember		flummux.org
	MDRequireHttps		temporary
</MDomainSet>

The required stuff. I've found that using MDomainSet is much cleaner than MDomain as I have multiple sites that I want to keep separated, certificate wise. I'm old-school when it comes to naming, so I like using the “www” prefix and prefer that to be part of the canonical name for my domains. I also support the plain domain name, but only to redirect to the “www” version of the site. If you are more hipster than I, then just reverse the domain names. I won't judge.

Given the push that “Encrypt All The Things!” has had, especially from Google, I'm expecting any month now for Google Chrome (that has, what? An 85% usage rate on the Internet?) to enable the Big Scary Error Messages on non-encrypted web requests, so I might as well go ahead and start pushing the secure versions of my sites (sigh—I really hate this bit, but I think I'm in the minority on this), thus the MDRequireHttps setting. I tried using permanent on one of my test domains and I screwed myself over when I flubbed the mod_md configuration—I can't even reach the site from my primary browser as it is now stuck for the next six months trying to reach the secure version which isn't running. Yes, I could fix this by cleaning out my cache, but that's pretty much an “all-or-nothing” option, and for a domain I almost never use, I can live with that for now. I also flubbed the configuration for that domain so bad, that I have to wait for a month before I try obtaining a certificate again.

Sigh.

<VirtualHost 71.19.142.20:80>
	ServerName	flummux.org
	Redirect	permanent	/	http://www.flummux.org/
	Protocols	h2 h2c http/1.1 acme-tls/1
</VirtualHost>

<VirtualHost 71.19.142.20:80>
	ServerName	www.flummux.org
	Protocols	h2 h2c http/1.1 acme-tls/1
</VirtualHost>

Because I'm doing the MDRequireHttps directive, I've found that this is all I need for the non-secure settings, which also means I don't need to duplicate the actual server settings twice, once for the non-secure version, and again for the secure version. The first block is there to redirect http://domain requests to http://www.domain requests. I'm not redirecting directly to https: here, as the Apache documentation warns that the certificate renewal might now work [4]. And because I want the certificate renewal to work, I added acme-tls/1 to the list of protocols supported.

<VirtualHost 71.19.142.20:443>
	SSLEngine	On
	ServerName	flummux.org
	Redirect	permanent	/	https://www.flummux.org/
	Protocols	h2 h2c http/1.1 acme-tls/1
</VirtualHost>

This is just to redirect https://domain requests to https://www.domain requests. I'm not sure if I really need the acme-tls/1 setting here, but I'm not taking a chance with the certificate renewal. It's not clear in the Apache documentation what would happen, and given how long I have to wait if it messes up, I'm not willing to test it.

<VirtualHost 71.19.142.20:443>
  SSLEngine		on
  ServerName		www.flummux.org
  ServerAdmin		sean@conman.org
  DocumentRoot		/home/spc/web/sites/www.flummux.org/htdocs
  AddHandler		server-parsed .shtml
  AddOutputFilter	INCLUDES .shtml
  AddOutputFilterByType	DEFLATE	text/html text/plain text/xml
  Protocols		h2 h2c http/1.1 acme-tls/1
  CustomLog		/home/spc/web/logs/www.flummux.org combined-deflate
  FileETag		MTime Size
  AddDefaultCharset	UTF-8
  DirectoryIndex	index.cgi

  SetEnv LUA_PATH	"/home/spc/web/sites/www.flummux.org/lua/?.lua"
  SetEnv LUA_CPATH	"/home/spc/web/sites/www.flummux.org/lib/?.so"
  Header set Content-Security-Policy "style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src 'self';"

  ExpiresActive	 On
  ExpiresDefault "access plus 1 month"
  ExpiresByType	 text/html "modification plus 1 week"

  <Directory /home/spc/web/sites/www.flummux.org/htdocs>
    Options		All
    AllowOverride	None
    Require		all granted
  </Directory>

  <Directory /home/spc/web/sites/www.flummux.org/htdocs/errors>
    Options	-Indexes
  </Directory>

  ErrorDocument	404	/errors/404.shtml
</VirtualHost>

And we finally get to the configuration for the site itself. Not much to say about this, except that the “Content-Security-Policy [5]” header is annoying to get right, and I'm not sure how much benefit it brings, but hey, this is a test site so I'll have to see how it goes.

So that's pretty much how I'm setting up each site I host. It's pretty straightforward, except for the sheer terror that I've made a typo and will have to wait a month before trying to obtain a secure certifcate again. You have been warned.

[1] https://httpd.apache.org/docs/2.4/

[2] /boston/2022/12/04.1

[3] https://httpd.apache.org/docs/2.4/mod/mod_md.html

[4] https://httpd.apache.org/docs/2.4/mod/mod_md.html#mdrequirehttps

[5] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Gemini Mention this post

Contact the author