Mengaktifkan HTTPS di Apache

From OnnoWiki
Jump to navigation Jump to search

Agar komunikasi dapat dilakukan dengan aman kita perlu meng-enkripsi komunikasi menggunakan TLS/SSL. Berikut ini adalah caranya di Ubuntu 16.04. Cara di Ubuntu dan Debian yang baru kemungkinan besar hampir sama,

Install Apache menggunakan perintah

sudo apt update sudo apt -y install apache2

Untuk mengaktifkan SSL module dapat menggunakan perintah,

sudo a2enmod ssl

Selanjutnya kita perlu me-restart Apache,

sudo service apache2 restart

Masalah utama dalam SSL adalah kita harus meminta SSL Certificate. Kita dapat membuat sendiri Self-Signed SSL Certificate. Caranya pertama-tama dengan membuat folder,

sudo mkdir /etc/apache2/ssl

Membuat SSL Certificate menggunakan perintah,

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Isi parameter-nya denga, misalnya

Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:DKI Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:ORGANISASI-ANDA Organizational Unit Name (eg, section) []:RND Common Name (e.g. server FQDN or YOUR name) []:organisasi-anda.id Email Address []:onno@organisasi-anda.id


Keterangan lebih lanjut tentang perintah openssl adalah,

openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc. req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want. -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request. -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts. -days 365: This specifies that the certificate we are creating will be valid for one year. -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long. -keyout: This parameter names the output file for the private key file that is being created. -out: This option names the output file for the certificate that we are generating.

Setelah SSL Certificate di buat, kita dapat mengkonfigurasi apache agar menggunakan SSL Certificate yang kita buat melalui perintah berikut,

cd /etc/apache2/sites-available cp default-ssl.conf default-ssl.conf.asli sudo vi /etc/apache2/sites-available/default-ssl.conf

Jika comment (#) dibuang, maka akan tampak sebagai berikut,

<IfModule mod_ssl.c> 

   <VirtualHost _default_:443>
       ServerAdmin webmaster@localhost
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       SSLEngine on
       SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
       SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory /usr/lib/cgi-bin>
                       SSLOptions +StdEnvVars
       </Directory>
       BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
   </VirtualHost>

</IfModule>

Kita perlu mengkonfigurasi

ServerAdmin ServerName ServerAlias DocumentRoot

PENTING untuk di ingat bahwa lokasi Apache SSL certificate & key adalah,

SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Tampilan akhirnya file konfigurasi setelah semua parameter dimasukan adalah sebagai berikut,

<IfModule mod_ssl.c> 

   <VirtualHost _default_:443>
       ServerAdmin admin@example.com
       ServerName your_domain.com
       ServerAlias www.your_domain.com
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.crt
       SSLCertificateKeyFile /etc/apache2/ssl/apache.key
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory /usr/lib/cgi-bin>
                       SSLOptions +StdEnvVars
       </Directory>
       BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
   </VirtualHost>

</IfModule>

Selanjutnya, kita perlu mengaktifkan SSL Virtual Host melalui perintah

sudo a2ensite default-ssl.conf

Apache perlu di restart menggunakan perintah

sudo service apache2 restart sudo systemctl reload apache2

Untuk mentest setup, kita dapat browse ke

https://server_domain_name_or_IP https://192.168.0.100

kemungkinan akan dapat warning apache ssl warning :) ...

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Mengaktifkan_HTTPS_di_Apache&oldid=63841"