Saturday, October 5th 2019

Back to basic

It's been such a long time, not much done, but at least now these webpages will be served through secure channels. For a while, I still believed that you could only serve one secured host per IP, as it was the case.

To put in perspective, one has to understand that virtual hosts, the mechanism that allows to serve content for a domain name is an afterthought. A header is of the HTTP datagramm is to be set to tell the web server which host is requested. But when we arrive there, it's to late to change the certificate, the secured channel is already set, and it's not possible to reset it.

To the cost of some privacy hindering, the requested host is provided through the TLS handshake. The protocol extension SNI describe this idea, and is implemented in most servers and clients.

Let's encrypt!

Therefore, there is no more excuse not to encrypt our personnal web resources. There is some technical steps to follow, mind your web server configuration, and it should be fine!

For example, on Debian GNU/Linux Buster (10), you can just issue the next lines, as root obviously:

You need the second package only if you're using Apache Web server.

apt install certbot python3-certbot-apache

# Require a specific certificate for the blog:
certbot certonly --apache -d blog.example.com

# Require a common certificate for different domains:
certbot certonly --apache -d www.example.com -d example.com

I had issues with the modification of my Apache configuration files, so I'd recommand to just require the certificates, and migrate the configuration manually. On each virtual host, change the host port to 443, as follow:

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  # Replace 'example.com' with the domain name
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com.org/privkey.pem
</VirtualHost>

And redirect your old plain HTTP trafic:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Options -Indexes

  RewriteEngine On
  RewriteCond %{SERVER_NAME} =example.com [OR]
  RewriteCond %{SERVER_NAME} =www.example.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Then, all you need to do is to test your server's properly configured, and restart it to test:

apachectl configtest
service apache2 restart

Wednesday March 29th 2017

Reset

Nothing interesting have been layed out there for a long time. So let's have a fresh start.

I'm remaking the main website, as the various articles and code are quite out dated.