Security

Author: Webcore Staff

Last modified: Aug. 26, 2015, 1:39 p.m.

Introduction

Firewall

SSL Certificates

This tutorial will help you in purchasing and installing an SSL Certificate for use with Apache and Nginx web servers on a Ubuntu system.

Prerequisites

A Registered Domain

You must have ownership or control of the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may purchase one from our list of services.

Web Server

This tutorial is designed for Apache or Nginx web servers. You should have one of these servers available.

Get your Certificate

You can get your SSL certicate by following this link https://www.webcorecloud.com/secure/?/cart/ssl-certificates/. We have all major brands of SSL Certificates including:

  1. Comodo
  2. GeoTrust
  3. Verisign

When you get your certificate, download it and place the file in

/etc/ssl/localcerts

Configure Apache to use the SSL Certificate

Make a backup of your configuration file by copying it. The default virtual host configuration file, /etc/apache2/sites-available/000-default.conf, to make a copy enter the following in your terminal:

cd /etc/apache2/sites-available
cp 000-default.conf 000-default.conf.orig

Edit the following:

sudo vi 000-default.conf

Find the entry and modify it so your web server will listen on port 443:

<VirtualHost *:443>

Now add the ServerName directive, if it doesn't already exist (please enter your server name here):

ServerName example.com

Specify your certificate and key paths by adding the following lines(substitute your actual paths):

SSLEngine on
SSLCertificateFile /home/example/example.com.crt
SSLCertificateKeyFile /home/example/example.com.key

If you are using Apache 2.4.8 or greater, you must specify the CA intermediate bundle. Add this line, substituting the path:

SSLCACertificateFile /home/example/intermediate.crt

Now your server is configured to listen on HTTPS only (on port 443). Any requests to HTTP (port 80) will not be served. To redirect HTTP requests to HTTPS, add the following at the beginning of the file (substituting the name):

<VirtualHost *:80>
   ServerName example.com
   Redirect permanent / https://example.com/
</VirtualHost>

Enable the Apache SSL module by running the following command:

sudo a2enmod ssl

To load the new configuration and enable TLS/SSL over HTTPS; restart Apache:

sudo service apache2 restart

To ensure that the redirect is working properly you can now run a test by accessing your site via HTTPS, e.g. https://example.com. You can also try connecting via HTTP, e.g. http://example.com


Configure Nginx to use the SSL Certificate

You must create a single "chained" certificate file if your CA included an intermediate certificate. This file contains your certificate and the CA's intermediate certificates.

Change to the directory that contains your private key, certificate, and the CA intermediate certificates (in the intermediate.crt file). This is the directory we used earlier in the tutorial:

/etc/ssl/localcerts

Use this command to create a combined file called example.com.chained.crt. Assuming your certificate file is called example.com.crt:

cat example.com.crt intermediate.crt > example.com.chained.crt

Change directory to your Nginx server block configuration directory. Usually located at /etc/nginx/sites-enabled, and enter the following in your terminal:

cd /etc/nginx/sites-enabled

To add SSL to your default server block file, edit the following file:

sudo vi default

Find the listen directive and modify the file so it looks like this:

listen 443 ssl;

Find the server_name directive, make sure that its value matches the common name of your certificate. Now add the ssl_certificate and ssl_certificate_key directives to specify the paths of your certificate and private key files:

server_name example.com;
ssl_certificate /home/example/example.com.chained.crt;
ssl_certificate_key /home/example/example.com.key;

Add the following lines to the file to allow the most secure SSL protocols and ciphers only:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

To redirect HTTP traffic to HTTPS, add this additional server block at the top of the file:

server {
    listen 80;
    server_name example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}

Now save and quit.

Restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!

sudo service nginx restart

Test it out by accessing your site via HTTPS, e.g. https://example.com.