As Ubuntu 16.04 LTS has been upgraded with new LTS version 18.04, we need to upgrade some of our older guides intended for relatively unused. In previous guide, we have shown steps to install Percona MySQL server on Ubuntu 18.04 LTS. Here is Detailed Guide on How To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS With Commands and Configurations For Most Secured Setup. Of course, we have Apache2 installation guide for Ubuntu 16.04 With Let’s Encrypt, HTTP/2, HSTS as well. If you search our site with the keyword “Apache2”, you’ll get many optimization guides. We tried to keep this guide as easy yet detailed as possible.
We are assuming a 2GB RAM cloud server running LAMP (Apache, MyQL, PHP) and providing the settings. You should adjust the settings based on RAM and performance.
Steps To Install Apache2 on Ubuntu 18.04 With Let’s Encrypt, HTTP/2, HSTS
To install Let’s Encrypt free SSL/TLS certificate, you need to point the domain under question, for example jima.in to the server IP from DNS service you are using, like Hurricane Electric DNS, or paid DNS like Rage4 DNS or Dyn DNS. Make sure about DNS propagation. In an earlier article, we discussed about DNS CA record and example of Dyn DNS for implementation of DNS CA record. If you do not allow Let’s Encrypt from DNS, nothing will happen. But if you block Let’s Encrypt by not mentioning on DNS CA record, Let’s Encrypt tool will fail. There are various formats of TLS certificate, which are for the advanced users, like ECC SSL (ECDSA) Certificate. We are not showing such way but writing basic method which is enough robust. Definitely, you should try different tweaks later.
---
We will install Apache2 from Ondřej Surý’s PPA, which tweaked version :
1 2 3 | sudo apt-get install software-properties-common sudo add-apt-repository ppa:ondrej/apache2 # hit enter/return key to accept |
Run :
1 2 | apt update -y apt upgrade -y |
Your OpenSSL will get upgraded from Ondřej Surý’s mixture formula. Now proceed to install Apache2 :
1 | sudo apt-get install apache2 |
Active some needed modules :
1 2 3 4 5 6 | a2enmod http2 systemctl restart apache2 a2enmod ssl systemctl restart apache2 a2ensite default-ssl systemctl restart apache2 |
Now, we need to add the PPA of Cert Bot (historically Cert Bot was Let’s Encrypt) :
1 2 3 4 | sudo add-apt-repository ppa:certbot/certbot apt update -y apt upgrade -y sudo apt install python-certbot-apache |
Open :
1 | nano /etc/apache2/apache2.conf |
Find the line KeepAlive (CTRL+W gives search option on Nano). The settings will be :
1 2 3 | KeepAlive On MaxKeepAliveRequests 50 KeepAliveTimeout 5 |
Here is reference :
1 | https://httpd.apache.org/docs/2.4/mod/core.html#keepalive |
Now open :
1 | nano /etc/apache2/mods-available/mpm_prefork.conf |
Apache has two main multi-processing module (MPM) – prefork module and event module. We are making prefork tweaked and activated. Keep the settings like below :
1 2 3 4 5 6 7 | <IfModule mpm_prefork_module> StartServers 4 MinSpareServers 3 MaxSpareServers 40 MaxRequestWorkers 200 MaxConnectionsPerChild 10000 </IfModule> |
Disable the event module, enable prefork and restart Apache2 :
1 2 | sudo a2dismod mpm_event sudo a2enmod mpm_prefork |
Now, go to /etc/apache2/sites-available/ and run an ls -al :
1 2 | cd /etc/apache2/sites-available/ ls -al |
There will be two files – 000-default.conf and default-ssl.conf. Run cat command on each files, you’ll see the well documented examples. It is practical to copy the default files to meaningful ones:
1 2 | sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-jima.in.conf sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/jima.in-ssl.conf |
You have to configure handle :
1 2 3 4 | http://jima.in http://www.jima.in https://www.jima.in https://jima.in |
It is practical to have four files with understandable name for each. You can activate any configuration with this command :
1 | sudo a2ensite jima.in-ssl.conf |
You can deactivate any configuration with this command :
1 | sudo a2dissite 000-default.conf |
You have to reload following that action :
1 | sudo systemctl reload apache2 |
You can always test configuration with :
1 | sudo apache2ctl configtest |
For one site, default /var/www/html directory is enough. For multiple sites, you need to create directories :(unless)
1 2 3 | sudo mkdir -p /var/www/html/jima.in sudo chown -R www-data:www-data /var/www/html/jima.in sudo chmod -R 755 /var/www/html/jima.in |
You can put some sample index.html page using nano inside that directory. Your directory path should reflect on configuration files like jima.in-ssl.conf.
This is a basic HTML page :
1 2 3 4 5 6 7 8 | <html> <head> <title>Well Done!</title> </head> <body> <h1>Success! You created server block!</h1> </body> </html> |
After those basic setup, you need to run this command to generate TLS certificate :
1 | sudo certbot --apache -d jima.in -d www.jima.in |
Now, let us edit that jima.in-ssl.conf file :
1 2 3 4 5 6 7 8 9 10 11 | <IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName jima.in ServerAdmin webmaster@localhost DocumentRoot /var/www/html/jima.in ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/jima.in/fullchain.pem ... |
Now, if you test somewhere for HTTP/2, you’ll get it. For adding different headers, you need to activate a module :
1 | a2enmod headers |
Restart Apache2 to take effect :
1 2 | systemctl restart apache2 # sudo systemctl restart apache2.service |
Open /etc/letsencrypt/options-ssl-apache.conf file :
1 | nano /etc/letsencrypt/options-ssl-apache.conf |
That file should look like this :
1 2 3 4 5 6 7 8 | SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite (find latest cipher suitable for you and add here) SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common |
We will generate Diffie-Hellman key (the command will take time to end) :
1 2 3 4 | cd /etc/ssl/private/ # mdir -p /etc/ssl/private/ # cd /etc/ssl/private/ sudo openssl dhparam -out dhparam.pem 2048 |
We can wget this certificate for OSCP stapling :
1 2 | cd /etc/ssl/private/ https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem |
You need to read our previous guides on HTTP Public Key Pinning (HPKP), previous Apache2’s guide, OCSP Stapling, OCSP Stapling error prevention etc articles.
Only run :
1 | apachectl -t |
…after each changes you will add to configuration file like our jima.in-ssl.conf file.
That jima.in-ssl.conf file will look like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | <IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName jima.in ServerAdmin webmaster@localhost DocumentRoot /var/www/html/jima.in ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/jima.in/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jima.in/privkey.pem ### For paid SSL follow their guide for cert installation # SSLCertificateFile /etc/ssl/private/public.crt # SSLCertificateKeyFile /etc/ssl/private/private.key # SSLCertificateChainFile /etc/ssl/private/intermediate.crt ### End third party SSL cert block SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Include /etc/letsencrypt/options-ssl-apache.conf <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/html> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet </IfModule> |
If you want Expect CT Header, then the block will look like :
1 2 3 4 5 6 7 8 9 10 11 12 13 | ... Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always set Public-Key-Pins 'pin-sha256="add-your-pin"; pin-sha256="add-your-another-pin"; max-age=5184000; includeSubDomains' Header set X-XSS-Protection "1; mode=block" Header set Expect-CT "enforce; max-age=3600" Header set Referrer-Policy "origin" FileETag None Include /etc/letsencrypt/options-ssl-apache.conf <Directory /> |
Work slowly and make them working. After work, test on :
1 2 | https://www.ssllabs.com/ssltest/analyze.html https://securityheaders.io |
Of course you can use HTTP/2 server push feature with Apache2.
Always keep your settings files somewhere like on GitHub as repo. Unless you have whole server backup, their loss is a terrific loss. If you face trouble in setup, ask on StackExchange, ServerFault like Q&A sites pointing what step you have messed up. Apache2 is heavily used webserver and whole earth knows about common errors.
Tagged With how to install an origin ca certificate in apache 2 4 , letsencrypt ubuntu 18 , apache2 und letsencrypt ubuntu 18 04 , ubuntu 17 letsencrypt , Setup apache2 https ubuntu Windows CA , ubuntu 18 apache enable a2ensite ssl , Apache2 HTTP/2 , lets encrypt apache on ubuntu 18 04 , apache 2 ubuntu 18 lets encrypt , ubuntu lets encrypt add site