Search at Knowledgebase
How to secure a SSL connection with Apache on Ubuntu 18.04

Objective

Configuring an SSL (Secure Sockets Layer) connection, allows you to add an additional asymmetric encryption protocol to the common HTTP. The SSL protocol can be useful to strengthen either the authentication system of a website or the data exchange between an app and the server. In this guide you will see how to configure an SSL connection and enable HTTPS on Apache with Ubuntu 18.04.

First, connect to your server via an SSH connection. If you haven’t done so yet, following our guide is recommended to securely connect with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.

Getting an SSL Certificate

To establish a secure connection, Apache will need an SSL certificate that can be obtained from a Certification Authority (CA). For convenience, in this example we will use a self-signed or self-signed certificate, used only in test and development environments. To obtain a self-signed certificate, refer to our guide to Create a Self-Signed SSL Certificate.
If you are interested in obtaining a free SSL certificate issued by a Certification Authority, follow our guide on How to secure Apache with Let’s Encrypt and Ubuntu 18.04 .

Important note:
During the creation of the certificate, enter your server’s IP address and or domain name when asked for the Common Name:

Common Name (e.g. server FQDN or YOUR name) []: domain.com

After obtaining the certificate, create the /etc/certificate folder:

$ sudo mkdir /etc/certificate

Then save both the certificate and the private key in it.

Configuring the Apache SSL parameters

Proceed by setting the directives for the secure connection that Apache will create. To do so, create the ssl-params.conf file in the Apache conf-available directory:

$ sudo nano /etc/apache2/conf-available/ssl-params.conf

Paste the following basic configuration into the newly created file:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Then save and close the file.

How to change the Virtual Host

Then, modify the SSL configuration of the Virtual Host of the domain you want to protect with SSL connection. In this tutorial the SSL configuration of the default Apache Virtual Host will be used, as an example.
Open the Virtual Host SSL configuration:

l$ sudo nano /etc/apache2/sites-available/default-ssl.conf

You’ll find a file structured as follows :

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars

Set up the ServerAdmin directive correctly by entering your email and add the ServerName directive followed by your domain or your server’s IP address.

Finally, change the path indicated by the SSLCertificateFile and SSLCertificateKeyFile directives, entering respectively the path of your certificate and private key .
You will get a result similar to the following :

ServerAdmin john@mydomain.com
ServerName mydomain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile      /etc/certificate/certificate.crt
SSLCertificateKeyFile /etc/certificate/private.key
SSLOptions +StdEnvVars

Then save and close the file.

How to configure the Firewall

In case of a firewall on your system, set it up to enable HTTP traffic and HTTPS traffic to your machine.
When using the UFW firewall, some pre-installed profiles for Apache are available. So let’s see how to enable them.
To check the available profiles installed in the UFW firewall, run this command:

$ sudo ufw app list

A list similar to the following will be displayed on the screen:

$ sudo ufw app list

A list similar to the following will be displayed on the screen:

Available applications:
Apache
Apache Full
Apache Secure
OpenSSH

To allow HTTP (Port 80) and HTTPS (Port 443) traffic, use the “Apache Full” profile.
Check the profile information as follows:

$ sudo ufw app info "Apache Full"

The screen profile description will be displayed :

Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web server.
Ports:80,443/tcp

After verifying the profile, enable it:

$ sudo ufw allow in "Apache Full"

How to configure Apache

At this point changes to the Apache configuration can be made.
Enable the mod_ssl and mod_headers modules:

$ sudo a2enmod ssl
$ sudo a2enmod headers

Enable reading of the SSL configuration created earlier:

$ sudo a2enconf ssl-params

Enable the default SSL Virtual Host:

$ sudo a2ensite default-ssl

Check that you have not made syntax errors in the Apache configuration files:

$ sudo apache2ctl configtest

If the message “Syntax OK” appears on the screen, proceed by restarting Apache:

$ sudo systemctl restart apache2

How to check the secure connection

Open your browser by connecting to the domain or IP address of the Virtual Host you configured, making sure to use the https protocol
https://mydomain.com

Your FREE Trial Starts Here!
Contact our team for application of dedicated server service!
Register as a member to enjoy exclusive benefits now!
Your FREE Trial Starts here!
Contact our team for application of dedicated server service!
Register as a member to enjoy exclusive benefits now!
Telegram Skype