Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature : apache example ? #79

Closed
jordila opened this issue Jan 29, 2016 · 10 comments

Comments

@jordila
Copy link

commented Jan 29, 2016

Ummhh..Maybe am i overlooking something. Doesn't matter, just let me ask ... could Apache servers willing to use acme-tiny have their little place in the acme-tiny documentation in "a example" kind of ? I'm willing to participate !

thanks beforehand

@csware

This comment has been minimized.

Copy link

commented Jan 31, 2016

With apache one could use the following definition:

<IfModule mod_headers.c>
 <LocationMatch "/.well-known/acme-challenge/*">
  Header set Content-Type "text/plain"
 </LocationMatch>
</IfModule>
<Directory "/var/www/letsencrypt/">
 SetHandler none
 AllowOverride None
 Order allow,deny
 Allow from all
</Directory>
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

if one put this outside a virtualhost (e.g., in /etc/apache2/conf-enabled/le.conf on debian), it can be used as a single location for ALL virtual hosts

@PhrozenByte

This comment has been minimized.

Copy link

commented Jan 31, 2016

@csware: SetHandler none has no effect (specifically, it tells Apache to ignore a previously forced handler; you're probably searching for SetHandler default-handler). Instead of mod_headers, one should use the ForceType core directive, what incidentally also bypasses all handlers (i.e. SetHandler isn't necessary at all).

Additionally, directory listing should be disabled explicitly and no other contents should be served. A RedirectMatch 404 with a negative lookahead regex handles this job quiet well and also prevents information disclosure (i.e. requesting .well-known/acme-challenge returns 404 Not Found instead of 403 Forbidden).

Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
<Directory "/var/www/html/.well-known/acme-challenge/">
    Options None
    AllowOverride None
    ForceType text/plain
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>
@rahra

This comment has been minimized.

Copy link

commented Feb 3, 2016

This is my config which worked fine (Apache 2.4). I also included the SSL config:

<VirtualHost *:80>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   Alias /.well-known/acme-challenge/ /usr/local/www/apache24/letsencrypt-challenges/
   <Directory /usr/local/www/apache24/letsencrypt-challenges>
      AllowOverride None
      Require all granted
      Satisfy Any
   </Directory>

   # rest of your config for this server
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>

<VirtualHost _default_:443>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   SSLEngine On
   SSLCertificateFile "/usr/local/etc/apache24/keys/domain.crt"
   SSLCertificateKeyFile "/usr/local/etc/apache24/keys/domain.key"
   # CA certificate from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
   SSLCertificateChainFile "/usr/local/etc/apache24/keys/lets-encrypt-x1-cross-signed.pem"

   # SSL config according to https://bettercrypto.org/static/applied-crypto-hardening.pdf
   SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder On
   SSLCompression Off
   Header always add Strict-Transport-Security "max-age=15768000"
   SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
   BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

   # rest of your SSL/TLS config
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>
@csware

This comment has been minimized.

Copy link

commented Feb 3, 2016

@PhrozenByte Thanks, the SetHandler is a leftover of an older config and I forgot to delete it before posting it here.

@diafygi

This comment has been minimized.

Copy link
Owner

commented Feb 22, 2016

I'd rather keep things simple and leave it up to people who write tutorials or blog posts explain things like apache configs.

@diafygi diafygi closed this Feb 22, 2016
@rahra

This comment has been minimized.

Copy link

commented Feb 27, 2016

In respect to my Apache example, I'd like to point out the SSLCertificateChainFile will be deprecated soon. According to https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile SSLCertificateFile supports multiple certificates as well since Apache 2.4.8.
This means that you copy your certificate and the Letsencrypt CA intermediate certificate both into one file in that order.

@StephenBrown2

This comment has been minimized.

Copy link

commented Feb 29, 2016

Ah, so it will become just like nginx!

This makes things much simpler indeed.

@egikyan

This comment has been minimized.

Copy link

commented Mar 8, 2017

Hey, just to add something - I'm using the Alias example from @PhrozenByte and it works without issues on apache 2.4.7 - thanks :)

Still if you are redirecting all http traffic to https, you need to add an exception for the Let's Encrypt dir, as it needs to be served on http (here is why then don't plan https challenges)

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
@csware

This comment has been minimized.

Copy link

commented Mar 8, 2017

@egikyan The let's Encrypt validator also works over https (and does not validate any certs), so your addition is not necessary.

@rugk

This comment has been minimized.

Copy link
Contributor

commented Mar 8, 2017

Really? It does not validate certs in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.