Sharing a Port For HTTPS using SSLH
I has the need to share the 433 port for two applications. After trying lots of haproxy and sslh, i ended up choosing sslh due to it simplicity.
Without rewriting, anything, the article below was very helpful
I has the need to share the 433 port for two applications. After trying lots of haproxy and sslh, i ended up choosing sslh due to it simplicity.
Without rewriting, anything, the article below was very helpful
After Installing the SSL certificate, (CPanels and LetsEncrypt provides free SSL Certificate), the next step is redirecting the http:// traffic to https://
Using the redirect facility will result in redirect loop, as such add the following code at the end of .htaccess file on the root of the domain
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
H/T to http://www.webhostinghub.com/help/learn/website/ssl/force-website-to-use-ssl
Let’s Encrypt is a new certificate authority (CA) offering free and automated SSL/TLS certificates. Certificates issued by Let’s Encrypt are trusted by most browsers in production today, including Internet Explorer on Windows Vista. Simply download and run the Let’s Encrypt client to generate a certificate.
(there are a few more steps than that, of course, though not many)
Step 1: Download LetsEncrypt
Install git if you haven’t done so yet:
# apt-get install git
Use git to get the application and store it somewhere (ie: /opt)
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Step 2: Webroot Plugin
The Webroot plugin works by placing a special file in the /.well-known directory within your document root, which can be opened (through your web server) by the Let’s Encrypt service for validation.
Depending on your configuration, you may need to explicitly allow access to the /.well-known directory.
location /.well-known {
alias /home/user/webapps/appname/.well-known;
}
Restart NGNIX
# sudo service nginx status
Step 3: Generate your certificate and Strong Diffie-Hellman Group
The first time you run the command below, you will be asked to provide an e-mail address to be associated to the domain or subdomain, in case you should ever need to recover the key or something.
The next time you run the same command (to renew the certificate) it won’t be asked.
So run the following command to generate the certificate:
$ sudo /opt/letsencrypt/letsencrypt-auto certonly -a webroot –agree-tos –renew-by-default \
–webroot-path=/home/user/webapps/appname \
-d website.com [-d sub.website.com] \
–e-mail=email@website.com
Then Generate Strong Diffie-Hellman Group
This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Step 4: Configuring Nginx
After running the command that generates the certificates, you should have several files in /etc/letsencrypt/live/website.com/ (replace website.com by your own domain).
We are going to need just two of them for Nginx: fullchain.pem and privkey.pem.
Comment out or delete the lines that configure this server block to listen on port 80.
The beginning of your server block should look like this:
server {
server_name website.com www.website.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;
# For Safari and iOS devices
ssl_session_cache shared:SSL:20m;
#Diffie-Hellman Group
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
Lastly, outside of the original server block (that is listening on HTTPS, port 443), add this server block to redirect HTTP (port 80) to HTTPS.
server {
listen 80;
server_name website.com www.website.com;
return 301 https://$host$request_uri;
}
Put the changes into effect by restarting Nginx:
$ sudo service nginx restart
The Let’s Encrypt TLS/SSL certificate is now in place.
At this point, you should test that the TLS/SSL certificate works by visiting your domain via HTTPS in a web browser.
You can use the Qualys SSL Labs Report to see how your server configuration scores:
https://www.ssllabs.com/ssltest/analyze.html?d=website.com
Step 5: Automate the Certificate Renewal
Edit the crontab to create a new job that will run the renewal command every week.
$ sudo crontab –e
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload