Apache2 for alpine linux professional SSL setup

This is made by the separate package.. and will depends of the target compatibility for SSL layer decoding at the client web browser side Please check the previous articles about installing and configuring Apache2 over Alpine Linux.

If do you note the command php$phpverx-apache2 in many tutorials, that is a prof that are incomplete, here you will learn why this ilogic command.

The recommendation its to use apache2 behind a reverse proxy setup, such like lighttpd or hiawatta servers. Currently the most lazy and slow server .. just for windosers that wants to learn..

 PREVIOUS: Apache2 for alpine linux professional installation

Apache2 SSL setup for alpine linux

This is made by the separate package.. and will depends of the target compatibility for SSL layer decoding at the client web browser side.

Apache2 SSL support

The package as we said is made in a limited way, and only has a unique config file at /etc/apache2/conf.d/ssl.conf.

Best way to do that are by independent include files, Debian counterpart has a good mechanism that enables configuration files, but that is not the case here, so we must deal with the random loading of the modules.

We need to created a sefl-signed certificate, so openssl are need in any case either if used a remote made certificate:

1. install openssl and apache-ssl
2. create the self signed certificate
3. set proper permissions
4. setup the cert file for combined pem
5. setup the port for the openssl protocol module
6. setup the allowed negotiations, by example allow TLS 1.0 (default deny sslv3 and tls1)
7. setup the allowed protocols, by example allow also older ones like TLS 1.0
8. activate the mod_redirect in case of global http to https redirection
9. restart the service to see changes

apk add openssl apache2-ssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
   -subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=$(hostname -d)" \
   -keyout /etc/ssl/certs/localhost.pem -out /etc/ssl/certs/localhost.pem

chmod 640 /etc/ssl/certs/localhost.pem
chown apache:www-data /etc/ssl/certs/localhost.pem

sed -i -r 's#^SSLCertificateKeyFile.*/etc/#\#SSLCertificateKeyFile /etc/#g' /etc/apache2/conf.d/ssl.conf
sed -i -r 's#^SSLCertificateFile.*/etc/#SSLCertificateFile /etc/ssl/certs/localhost.pem#g' /etc/apache2/conf.d/ssl.conf
sed -i -r 's#^SSLCertificateChainFile.*#SSLCertificateChainFile /etc/ssl/certs/localhost.pem#g' /etc/apache2/conf.d/ssl.conf
sed -i -r 's#\#.*SSLCertificateChainFile.*#SSLCertificateChainFile /etc/ssl/certs/localhost.pem#g' /etc/apache2/conf.d/ssl.conf

sed -i -r 's#^Listen.*#Listen 443#g' /etc/apache2/conf.d/ssl.conf
sed -i -r 's#^<VirtualHost.*#<VirtualHost _default_:443>#g' /etc/apache2/conf.d/ssl.conf

sed -i -r 's#^SSLProtocol.*#SSLProtocol all#g' /etc/apache2/conf.d/ssl.conf

sed -i -r 's#^SSLCipherSuite.*#SSLCipherSuite HIGH:MEDIUM:ALL:!MD5:!RC4:!3DES#g' /etc/apache2/conf.d/ssl.conf
sed -i -r 's#^SSLProxyCipherSuite.*#SSLProxyCipherSuite HIGH:MEDIUM:ALL:!MD5:!RC4:!3DES#g' /etc/apache2/conf.d/ssl.conf

rc-service apache2 restart

WARNING NOTES

1. This is a permissive configuration full compatible wtith older and newer browsers.
2. to only allow most secure protocols and a bit of compatibilty, set to SSLProtocol all -TLSv1 -SSLv3
3. to only allow most secure negociations and a bit of compat, set to SSLCipherSuite HIGH:MEDIUM:ECDHE:!MD5:!RC4:!3DES:!ADH
4. to only allow most secure negociations and a bit of compat, set proxy to SSLProxyCipherSuite HIGH:MEDIUM:ECDHE:!MD5:!RC4:!3DES:!ADH

Best is to made a redirection inside of the document root of port 80 deifintion also put a <IfModule mod_ssl.c> conditional at the beginning of the ssl config file.

Lest Encrypt

To obtain a real certificate, we will made a new article with complete setups!

see also

• 🗯 IRC
  • 💬 ##alpine_telegram_english
  • 💬 #alpine_linux_english
• 📱 Telegram https://t.me/alpine_linux
  • 🇬🇧 https://t.me/alpine_linux_english
  • 🇷🇺 https://t.me/alpine_linux_pycckuu (dual english russian, low activity)
  • 🇨🇴 https://t.me/alpine_linux_espanol
  • 🇧🇬 https://t.me/alpine_linux_bulgarian (dual english bulgarian, low activity)
  • 🇨🇳 https://t.me/alpine_linux_chinese (dual english chinese, low activity)
  • 📡 https://t.me/opentechnologies (open languajes but english as main)
• Matrix
  • 👥 https://matrix.to/#/#alpine-linux-english:matrix.org

LICENSE

CC BY-NC-SA: 

• BY – Credit must be given to the creator of each content respectivelly, starting at the first contributor.
• NC – Only noncommercial uses of the work are permitted, with exceptions if you fill an issue here!
• SA – Adaptations must be shared under the same terms, you must obey this terms and do not change it.

For more information check the alpine/copyright.md