Implementing SSL#
Secure Sockets Layer (SSL) enables the server to establish an encrypted link with its clients. This is more secure than using unencrypted communication. To implement SSL you will need a digital certificate which can be signed either by you or by a certificate authority. For more information about the SSL certificates please see this article .
Implementing SSL on your server can be divided to two stages:
Obtaining a SSL certificate#
SSL certificate can be signed either by you using your own private key or by a certificate authority. Each choices has its own prerequisites and consequences.
Self signed#
A good guide about how to implement this using OpenSSL on Ubuntu 20.04 can be found here.
Note
This option allows you to implement SSL using your server’s IP address without a domain name. However, when accessing the website using any modern browser the connection will be marked as not private.
Signed by Let’s encrypt#
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. You can obtain a certificate from other certificate authorities too. Please keep in mind that some authorities require a fee for their services.
Note
For this option you will need a domain name to use for your website.
Install certbot#
certbot is a tool that helps you obtain a certificate from Let’s encrypt. The official installation instructions for apache running on Ubuntu 20.04 can be found here.
Configuring the webserver#
To use the digital certificate in serving your website you need to modify the webserver configuration. You can modify the current configuration file to add the new configuration or create a new configuration file. In this guide we will use one file.
Start by adding the domain as a variable at the top of the file as such
ServerName yourDomainName
Then modify the current configuration to redirect the requests from port 80 to port 443. You will need to add this code
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
You can transfer all the configuration related to arches to the new virtual host 443 and change </path/to/your/certificate/> to reflect the location of your certificate. Your file should look like this
ServerName yourDomainName
LoadModule wsgi_module "/home/ubuntu/Projects/ENV/lib/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py37.cpython-37m-x86_64-linux-gnu.so"
WSGIPythonHome "/home/ubuntu/Projects/ENV"
<VirtualHost *:80>
ServerName yourDomainName
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# This is optional, in case you want to redirect people
# from http to https automatically.
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
WSGIPassAuthorization on
WSGIDaemonProcess arches python-path=/home/ubuntu/Projects/my_project
WSGIScriptAlias / /home/ubuntu/Projects/my_project/my_project/wsgi.py process-group=arches
<Directory /home/ubuntu/Projects/my_project/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Alias /media/ /home/ubuntu/Projects/my_project/my_project/static/
<Directory /home/ubuntu/Projects/my_project/my_project/static>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Alias /files/uploadedfiles /home/ubuntu/Projects/my_project/my_project/uploadedfiles
<Directory /home/ubuntu/Projects/my_project/my_project/files/uploadedfiles>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ServerName yourDomainName
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile </path/to/your/certificate/>cert.pem
SSLCertificateKeyFile </path/to/your/certificate/>privkey.pem
SSLCACertificateFile </path/to/your/certificate/>chain.pem
</VirtualHost>
Then you will need to enable the SSL and redirecting modules before you reload apache configuration
sudo a2enmod ssl
sudo a2enmod rewrite
Now you can reload apache to access the new configuration
sudo service apache2 reload