Outils pour utilisateurs
Ceci est une ancienne révision du document !
Table des matières
agi openssl ssl-cert
Puis on suit ce tuto : https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-debian-9
Synthèses des commandes
Step 1 — Creating the SSL Certificate
We can create a self-signed key and certificate pair with OpenSSL in a single command :
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
You will be asked a series of questions. Before we go over that, let’s take a look at what is happening in the command we are issuing:
Both of the files you created will be placed in the appropriate subdirectories under /etc/ssl.
Step 2 — Configuring Apache to Use SSL
We have created our key and certificate files under the /etc/ssl directory. Now we just need to modify our Apache configuration to take advantage of these.
We will make a few adjustments to our configuration :
- We will create a configuration snippet to specify strong default SSL settings.
- We will modify the included SSL Apache Virtual Host file to point to our generated SSL certificates.(Recommended)
- We will modify the unencrypted Virtual Host file to automatically redirect requests to the encrypted Virtual Host.
When we are finished, we should have a secure SSL configuration.
Creating an Apache Configuration Snippet with Strong Encryption Settings
First, we will create an Apache configuration snippet to define some SSL settings. This will set Apache up with a strong SSL cipher suite and enable some advanced features that will help keep our server secure. The parameters we will set can be used by any Virtual Hosts enabling SSL.
Create a new snippet in the /etc/apache2/conf-available directory. We will name the file ssl-params.conf to make its purpose clear:
sudo nano /etc/apache2/conf-available/ssl-params.conf
Paste the following configuration into the ssl-params.conf file we opened:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
Save and close the file when you are finished.
Modifying the Default Apache SSL Virtual Host File
Next, let’s modify /etc/apache2/sites-available/default-ssl.conf, the default Apache SSL Virtual Host file. If you are using a different server block file, substitute its name in the commands below.
Before we go any further, let’s back up the original SSL Virtual Host file :
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
Now, open the SSL Virtual Host file to make adjustments :
sudo nano /etc/apache2/sites-available/default-ssl.conf
Inside, with most of the comments removed, the Virtual Host block should look something like this by default:
/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> SServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
Outils de la page
