We recommend always using secure for web traffic, and that you redirect all http traffic to https.
We also suggest using HSTS (HTTP Strict Transport Security) to train visiting web browsers to use https immediately on future visits.
If Apache is not already running SSL for other sites, you will need to do:
sudo a2enmod ssl
and then:
sudo systemctl restart apache2.service
You will need to make an SSL certificate. You may already have one for your domain, you may purchase one commercially, or you can use a free service such as Certbot.
To install Certbot on Ubuntu:
sudo apt update
sudo apt install certbot
You will be prompted to agree to the terms, and to subscribe for updates.
Create an SSL certificate for your domain name, in this example let's imagine it's called zenariosite.com:
$ sudo systemctl stop apache2.service
$ sudo certbot certonly -d zenariosite.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zenariosite.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zenariosite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zenariosite.com/privkey.pem
Your cert will expire on 2021-12-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo systemctl start apache2.service
The above example shows us stopping Apache before running certbot and then restarting it, to avoid Certbot failing with "Problem binding to port 80: Could not bind to IPv4 or IPv6."; you may find this is not necessary on your server.
Note that there must be a DNS "A" record pointing to your server before you start the process above.
Create an Apache virtual host file, for example called /etc/apache2/sites-available/zenariosite.conf, with these contents:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName zenariosite.com
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ErrorLog ${APACHE_LOG_DIR}/zenariosite-error.log
CustomLog ${APACHE_LOG_DIR}/zenarsite-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/zenariosite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zenariosite.com/privkey.pem
DocumentRoot /var/www/clients/zenariosite/public_html
<Directory /var/www/clients/zenariosite/public_html/>
Options +FollowSymLinks +MultiViews -Indexes
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName zenariosite.com
ServerAlias www.zenariosite.com
ServerAlias another-zenario-domain.com
ServerAlias www.another-zenario-domain.com
RewriteEngine On
RewriteRule ^ https://zenariosite.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
The first VirtualHost section above defines how https requests are handled; make sure that the path to the SSL key and certificate files are correct. If you don't use certbot, make sure the private key file has root ownership and root-readable permissions only (e.g. chmod 400).
The line beginning Header tells browsers to use HSTS and remember to use https.
Check also that the DocumentRoot and Directory point accurately to the home directory of your Zenario installation, public_html in this example.
The second VirtualHost section above redirects all http traffic from the main domain, the www subdomain, and other domains, to the https site, and appends any request (e.g. page name) to the redirect.
Note that further options are possible, such as restricting SSL protocols and SSL cipher suites, but are not covered here.
Now disable the old virtual host, enable the new one, and reload Apache:
$ sudo a2dissite zenariosite-http.conf
Site zenariosite-http disabled.
To activate the new configuration, you need to run:
systemctl reload apache2
$ sudo a2ensite zenariosite.conf
Enabling site zenariosite.
To activate the new configuration, you need to run:
systemctl reload apache2
$ sudo systemctl reload apache2.service
You should now be able to point your browser at your https URL, and be directed there automatically from any http domains listed in the configuration.