Skip to main content

Enabling HTTPS

  • I assume that you already have certificates from LetsEncrypt
  • Updating a virtual host config
cd /etc/apache2/sites-available/
cp bookstack.conf bookstack.conf_
echo > bookstack.conf
nano -w bookstack.conf
<VirtualHost *:80>

        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>

<VirtualHost *:443>

        ServerName null.somedomain.name
        DocumentRoot /var/www/bookstack/public/

        SSLEngine on

        SSLCertificateFile      /etc/letsencrypt/somedomain.name/certificates/_.somedomain.name.crt
        SSLCertificateChainFile /etc/letsencrypt/somedomain.name/certificates/_.somedomain.name.issuer.crt
        SSLCertificateKeyFile   /etc/letsencrypt/somedomain.name/certificates/_.somedomain.name.key

        <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        <Directory /var/www/bookstack/public/>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
                <IfModule mod_rewrite.c>
                        <IfModule mod_negotiation.c>
                                Options -MultiViews -Indexes
                        </IfModule>

                        RewriteEngine On

                        # Handle Authorization Header
                        RewriteCond %{HTTP:Authorization} .
                        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

                        # Redirect Trailing Slashes If Not A Folder...
                        RewriteCond %{REQUEST_FILENAME} !-d
                        RewriteCond %{REQUEST_URI} (.+)/$
                        RewriteRule ^ %1 [L,R=301]

                        # Handle Front Controller...
                        RewriteCond %{REQUEST_FILENAME} !-d
                        RewriteCond %{REQUEST_FILENAME} !-f
                        RewriteRule ^ index.php [L]
                </IfModule>
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
  • Checking the config
apache2ctl configtest
  • Reloading Apache
systemctl reload apache2
  • Checking

http://null.somedomain.name

  • Turning off weak algorithms and vulnerable protocols
nano -w /etc/apache2/sites-enabled/bookstack.conf
        # "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
        # Generator as of August 2016. This tool is available at
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
        # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
        # require OpenSSL 1.1.0, which as of this writing was in pre-release.
        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
        SSLHonorCipherOrder on
        SSLCompression      off
        SSLSessionTickets   off
  • Turning off server's signature
nano -w /etc/apache2/apache2.conf
# Disable Server Signature
ServerSignature Off
ServerTokens Prod
  • Turning off PHP version info
nano -w /etc/php/version/apache2/php.ini
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; https://php.net/expose-php
expose_php = Off
  • Restarting Apache
systemctl restart apache2
systemctl status apache2

Back to top