Select Git revision
provision.sh
provision.sh 2.96 KiB
# STEP 0
sudo apt-get update
# STEP 1 - install d'apache
sudo apt-get -y install apache2
# TEST IT
# http://0.0.0.0:8080/ -> Apache2 Debian Default Page
# STEP2 - install d'openssl
sudo apt-get install openssl
# STEP3 - ssl certs (re)generation
# vagrant ssh
# >>> # man make-ssl-cert
# >>> # sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
# >>> # /usr/share/ssl-cert/ssleay.cnf -> System template to be enhanced
# /etc/ssl/certs/ssl-cert-snakeoil.pem -> fourni par openssl
# /etc/ssl/private/ssl-cert-snakeoil.key -> fourni par openssl
sudo make-ssl-cert generate-default-snakeoil --force-overwrite # regenerate ssl cert
# STEP4 - apache configuration
# /etc/apache2/ports.conf -> to read nothing to change
# port 443 /etc/apache2/sites-available/default-ssl.conf -> to read nothing to change
# port 80 /etc/apache2/sites-available/000-default.conf -> to read nothing to change
# a2 = apache2, en = enable, mod = module
# <=> ln -s /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-enabled/000-default.conf
sudo a2enmod ssl
# a2 = apache2, en = enable, site = virtual host
# <=> ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
# && ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
sudo a2ensite default-ssl
sudo systemctl reload apache2.service
# TEST IT
# http://0.0.0.0:8443/ -> bad request (connect with http on https port)
# https://0.0.0.0:8443/ ou https://0.0.0.0 -> NET::ERR_CERT_AUTHORITY_INVALID
# STEP 5 - make host accessible with https only - 80 closed or forwarded
sudo a2enmod rewrite
# add 3 lines
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
# to /etc/apache2/sites-enabled/000-default.conf
sudo sed -i 's/<\/VirtualHost>/ RewriteEngine On\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
sudo sed -i 's/<\/VirtualHost>/ RewriteCond %{HTTPS} off\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
sudo sed -i 's/<\/VirtualHost>/ RewriteRule (.*) https:\/\/%{SERVER_NAME}:8443$1 [R,L]\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
sudo systemctl reload apache2.service
# STEP 6 - generate cert with openssl bestpractice
# STEP 7 - enhance apache secuirty configuration
# TEST IT
# https://addons.mozilla.org/fr/firefox/addon/toggle-cipher-suites/
# security enhancement
# https://cipherli.st/
# STEP 8 - signed cert and import certificate authority
# sudo mkdir -p /etc/apache2/ssl
# https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/
# STEP 9 - nginx as reverse proxy / http router - nginx front serve listen 80
# STEP 10 - nginx as reverse proxy / https router - nginx front serve listen 443 - configure cert ssl with nginx
# STEP 11 - make host accessible with https only - 80 closed or forawarded + make apache unrachable from outside
# STEP 12 - enhance nginx secuirty configuration https://cipherli.st/