Si crea il certificato:<\/p>\n
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/apache-selfsigned.key -out \/etc\/ssl\/certs\/apache-selfsigned.crt<\/pre>\n
Verranno ora richiesti i dati del certificato ( la parte pi\u00f9 importante \u00e8 la\u00a0Common Name<\/em> dove si deve mettere il nome host o l’ip con cui si raggiunge il webserver ):<\/p>\n Si generano i parametri Diffie-Hellman:<\/p>\n Ora si deve configurare Apache ad usare le chiavi SSL appena create.<\/p>\n Si abilita l’utilizzo dei parametri Diffie-Hellman:<\/p>\n Inserire le seguenti righe:<\/p>\n Si modifica il Virtualhost o la configurazione base SSL di Apache ( \/etc\/apache2\/sites-available\/default-ssl.conf ) impostando i parametri creati:<\/p>\n Eventualmente forzare tutto il traffico sulla porta sicura:<\/p>\n E impostare:<\/p>\n Abilitare le modifiche in Apache:<\/p>\n Controlliamo che non ci siano errori nella configurazione:<\/p>\n Nel caso sia tutto a posto dovrebbe restituire un messaggio tipo:<\/p>\n Applichiamo le modifiche:<\/p>\n Testiamo che funzioni tutto andando su https:\/\/nome-host-o-inddirizzo-ip\/ ( ci sar\u00e0 ovviamente un avviso che il certificato non \u00e8 sicuro, basta autorizzarlo ).<\/p>\n","protected":false},"excerpt":{"rendered":" Si crea il certificato: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/apache-selfsigned.key -out \/etc\/ssl\/certs\/apache-selfsigned.crt req -x509: indica quale certificato (CSR) utilizzare, in questo caso si usa lo standard X.509; nodes: dice a OpenSSL di non usare una password per il certificato; days 365: imposta la scadenza in giorni del certificato; newkey rsa:2048: indica […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[62,166,15,3],"tags":[64,282,167,16,8,63],"_links":{"self":[{"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2207"}],"collection":[{"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/comments?post=2207"}],"version-history":[{"count":3,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2207\/revisions"}],"predecessor-version":[{"id":2232,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2207\/revisions\/2232"}],"wp:attachment":[{"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/media?parent=2207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/categories?post=2207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/tags?post=2207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 2048<\/pre>\n
nano \/etc\/apache2\/conf-available\/ssl-params.conf<\/pre>\n
# from https:\/\/cipherli.st\/\r\n# and https:\/\/raymii.org\/s\/tutorials\/Strong_SSL_Security_On_Apache2.html\r\n\r\nSSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\r\nSSLProtocol All -SSLv2 -SSLv3\r\nSSLHonorCipherOrder On\r\n# Disable preloading HSTS for now. You can use the commented out header line that includes\r\n# the \"preload\" directive if you understand the implications.\r\n#Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"\r\nHeader always set Strict-Transport-Security \"max-age=63072000; includeSubdomains\"\r\nHeader always set X-Frame-Options DENY\r\nHeader always set X-Content-Type-Options nosniff\r\n# Requires Apache >= 2.4\r\nSSLCompression off \r\nSSLSessionTickets Off\r\nSSLUseStapling on \r\nSSLStaplingCache \"shmcb:logs\/stapling-cache(150000)\"\r\n\r\nSSLOpenSSLConfCmd DHParameters \"\/etc\/ssl\/certs\/dhparam.pem\"<\/pre>\n
<IfModule mod_ssl.c>\r\n <VirtualHost _default_:443>\r\n ServerAdmin blabla@blablabla.bla\r\n ServerName nome-host-o-indirizzo-ip\r\n ServerAlias alias-1 alias-2\r\n\r\n DocumentRoot \/var\/www\/html\r\n\r\n ErrorLog ${APACHE_LOG_DIR}\/error.log\r\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\r\n\r\n SSLEngine on\r\n\r\n SSLCertificateFile \/etc\/ssl\/certs\/apache-selfsigned.crt\r\n SSLCertificateKeyFile \/etc\/ssl\/private\/apache-selfsigned.key\r\n\r\n <FilesMatch \".(cgi|shtml|phtml|php)$\">\r\n SSLOptions +StdEnvVars\r\n <\/FilesMatch>\r\n <Directory \/usr\/lib\/cgi-bin>\r\n SSLOptions +StdEnvVars\r\n <\/Directory>\r\n\r\n BrowserMatch \"MSIE [2-6]\" \r\n nokeepalive ssl-unclean-shutdown \r\n downgrade-1.0 force-response-1.0\r\n\r\n <\/VirtualHost>\r\n<\/IfModule><\/pre>\nnano \/etc\/apache2\/sites-available\/000-default.conf<\/pre>\n
<VirtualHost *:80>\r\n . . .\r\n\r\n Redirect \"\/\" \"https:\/\/nome-host-o-indirizzo-ip\/\"\r\n\r\n . . .\r\n<\/VirtualHost>\r\n<\/pre>\n
a2enmod ssl\r\na2enmod headers\r\na2ensite default-ssl\r\na2enconf ssl-params<\/pre>\n
sudo apache2ctl configtest<\/pre>\n
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message\r\nSyntax OK<\/pre>\n
systemctl restart apache2<\/pre>\n