Skip to content
Snippets Groups Projects
Select Git revision
  • 7275e874e8b807f796b508efbf3230ef8d51b29e
  • master default
2 results

provision.sh

Blame
  • user avatar
    mazenovi authored
    3abd34df
    History
    provision.sh 2.96 KiB
    # STEP 0
    sudo apt-get update
    
    # STEP 1 - install d'apache
    sudo apt-get -y install apache2
    # TEST IT
    # http://0.0.0.0:8080/ -> Apache2 Debian Default Page
    
    # STEP2 - install d'openssl
    sudo apt-get install openssl
    
    # STEP3 - ssl certs (re)generation
    # vagrant ssh
    # >>> # man make-ssl-cert
    # >>> # sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
    # >>> # /usr/share/ssl-cert/ssleay.cnf ->  System template to be enhanced
    # /etc/ssl/certs/ssl-cert-snakeoil.pem -> fourni par openssl
    # /etc/ssl/private/ssl-cert-snakeoil.key -> fourni par openssl
    sudo make-ssl-cert generate-default-snakeoil --force-overwrite # regenerate ssl cert
    
    # STEP4 - apache configuration
    # /etc/apache2/ports.conf -> to read nothing to change
    # port 443 /etc/apache2/sites-available/default-ssl.conf -> to read nothing to change
    # port 80 /etc/apache2/sites-available/000-default.conf -> to read nothing to change
    # a2 = apache2, en = enable, mod = module
    # <=> ln -s /etc/apache2/sites-available/000-default.conf  /etc/apache2/sites-enabled/000-default.conf
    sudo a2enmod ssl
    # a2 = apache2, en = enable, site = virtual host
    # <=> ln -s /etc/apache2/mods-available/ssl.conf  /etc/apache2/mods-enabled/ssl.conf
    # && ln -s /etc/apache2/mods-available/ssl.load  /etc/apache2/mods-enabled/ssl.load
    sudo a2ensite default-ssl
    sudo systemctl reload apache2.service
    # TEST IT
    # http://0.0.0.0:8443/ -> bad request (connect with http on https port)
    # https://0.0.0.0:8443/ ou https://0.0.0.0 -> NET::ERR_CERT_AUTHORITY_INVALID
    
    # STEP 5 - make host accessible with https only - 80 closed or forwarded
    sudo a2enmod rewrite
    # add 3 lines
    # RewriteEngine On
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
    # to /etc/apache2/sites-enabled/000-default.conf
    sudo sed -i 's/<\/VirtualHost>/        RewriteEngine On\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
    sudo sed -i 's/<\/VirtualHost>/        RewriteCond %{HTTPS} off\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
    sudo sed -i 's/<\/VirtualHost>/        RewriteRule (.*) https:\/\/%{SERVER_NAME}:8443$1 [R,L]\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
    sudo systemctl reload apache2.service
    
    # STEP 6 - generate cert with openssl bestpractice
    # STEP 7 - enhance apache secuirty configuration
    # TEST IT
    # https://addons.mozilla.org/fr/firefox/addon/toggle-cipher-suites/
    # security enhancement
    # https://cipherli.st/
    # STEP 8 - signed cert and import certificate authority
    # sudo mkdir -p /etc/apache2/ssl
    # https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/
    # STEP 9 - nginx as reverse proxy / http router - nginx front serve listen 80
    # STEP 10 - nginx as reverse proxy / https router - nginx front serve listen 443 - configure cert ssl with nginx
    # STEP 11 - make host accessible with https only - 80 closed or forawarded + make apache unrachable from outside
    # STEP 12 - enhance nginx secuirty configuration https://cipherli.st/