Hello and welcome! In my previous post on LAMP web server, I discussed about its installation and configuration inside CentOS environment. Today, I’m writing on how to setup SSL certificate in our website and other security related configurations as well.
Installing SSL Certificate
First of all, let’s install mod_ssl package from MOD Security. It’s done in CentOS as follows:
[code][root@web ~]# yum -y install mod_ssl[/code]
Then, let’s create a directory where we’ll keep our SSL certificates.
[code][root@web ~]# mkdir /etc/httpd/ssl[/code]
Now, let’s generate self-signed certificate for our web server.
[code][root@web ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/my-certificate.key -out /etc/httpd/ssl/my-certificate.crt[/code]
Here, openssl is the tool or utility that generates SSL certificate. x509 is an important standard for a Public Key Infrastructure (PKI). Similarly, 365 represents number of days that this certificate is valid for. RSA:2048 means the length of encryption key used by this certificate. You can choose it to be 1024, 2048 and 4096 depending on your preference for security and performance. Lastly, my-certificate.key is a file containing encryption key and my-certificate.crt is a file containing self-signed certificate. You can name these files accordingly.
Now that our self-signed SSL certificate is ready for use, let’s implement it. To do so, let’s modify the corresponding conf file so that it contains the correct DocumentRoot and ServerName statements within <VirtualHost _default_:443>. And also make sure that the above generated key and certificate files are referred in this conf file.
[code language=”bash”]vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/test"
ServerName test.sajjan.com.np:443
SSLCertificateFile /etc/httpd/ssl/my-certificate.crt
SSLCertificateKeyFile /etc/httpd/ssl/my-certificate.key
…
[/code]
Now, our apache daemon needs to be restarted in order to use this SSL method. But before I do that, I need to allow this new HTTPS service or port 443 through my firewall. Since I’m using Firewalld in CentOS 7, I do following. You may need to configure your respective firewall accordingly.
[code][root@web ~]# firewall-cmd –permanent –zone=public –add-service=https
[root@web ~]# systemctl restart httpd[/code]
After restart is completed, we can verify the use of SSL encryption by browsing our website with https. Since this is a self-signed certificate, most of the web browsers will display a warning message. However, we can skip this warning and keep using HTTPS. This option is useful if our web applications are used only internally or inside private network. But there may be cases when we may need to host our websites publicly. In that case, we should use Commercial or Third-party signed certificates. Presently, there is an option of using open-source Certificate Authority like Let’s Encrypt, which can be used freely and openly. It also comes with an automation tool called Certbot that allows us to easily install and deploy SSL Certificates in our web servers.
Redirect HTTP TO HTTPS
After deploying SSL certificate in server, we would like to have all our web traffic to be encrypted and secured. However, there may be users who aren’t aware about security and may continue using plain HTTP connection. In that case, we need to enforce mandatory SSL encryption for all users by redirecting any HTTP traffic to HTTPS. This can be done by adding following lines inside the httpd.conf file.
[code language=”bash”][root@web ~]# vi /etc/httpd/conf/httpd.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}[/code]
Turn-Off Displaying Server Signature
Since attackers can target their attacks based on the server version and signature, it’s a best practice to turn off the displaying of server’s signature to users. In Apache, it can be done by appending following lines in httpd.conf file.
[code language=”bash”][root@web ~]# vi /etc/httpd/conf/httpd.conf
ServerSignature Off
ServerTokens Prod[/code]
Suppress PHP Errors
Although it is essential to display error/warning messages generated by web application during development phase, it can very dangerous to display them in production environment. These outputs can leak sensitive information about the application and database, which can ultimately help attackers in compromising your application and in worst case, your business as well. Therefore, it is very crucial to suppress these error or warning messages from being displayed to users in production environment. This can be done from application level by writing code to handle errors. And it can suppressed globally by setting error_reporting statement to Off inside php.ini file.
There is a huge array of security threats present in web applications/servers, all of which couldn’t be covered in this post. However, I’ve attempted to shed some light upon few of them here and hope to cover more in future posts. I hope this has been useful. Please let me know of your suggestion or query in Comments section below. Thank you!
Leave a Reply