Keeping the server spec up to date take regular effort. In this post we will discuss how to set up and enable some of the most recent web technologies.
Before we get Apache configured, a note: If you are using PHP on Apache utilizing mod_php, you probably have mpm_prefork enabled. HTTP2 doesn’t work well (in my case, not at all) with mpm_prefork.
Also, this is written for Ubuntu. Getting an updated version of Apache will be different for your variant of Linux.
Step 0 – Switch from mod_php to php-fpm and from mpm_prefork to mpm_event.
Switching from mod_php to php-fpm, this was a good chance for me to upgrade to PHP 7.3 from PHP 7.2.
|
1 2 3 4 5 6 |
apt-get install -y php7.3 php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-fpm php7.3-gd php7.3-gmp php7.3-json php7.3-mbstring php7.3-mysql php7.3-pgsql php7.3-readline php7.3-soap php7.3-sqlite3 php7.3-xml php7.3-xsl php7.3-zip a2enmod proxy_fcgi setenvif a2enconf php7.3-fpm a2dismod php7.2 mpm_prefork a2enmod mpm_event service apache2 restart |
The PHP installation script give me what I consider a standard setup, workable from CGI, FPM, and CLI. Also it has support for MySQL, PQ/SQL, and SQLite. Alter the installation to fit what you need. At a minimum I would suggest the following.
|
1 |
apt-get install -y php7.3 php7.3-common php7.3-fpm |
Step 1 – Enable the Updated Apache Repo
Adding the up-to-date Apache repository is fairly easy and strait forward.
|
1 2 |
add-apt-repository -y ppa:ondrej/apache2 apt-get update && apt-get upgrade -y |
Step 2 – Enable http2
Here’s a 1-liner for you.
|
1 |
a2enmod http2 |
Of course you’ll need to restart Apache
|
1 |
service apache2 restart |
Step 3 – Double Check SSL Configuration
There are many places you can configure your SSL configuration for Apache. Let’s walk through them, or at least the defaults. If you have your SSL config in a different conf file, that’s your beast to deal with.
We are looking for a setting called SSLProtocol.
Normally the setting is in this config file. A good value is all -SSLv3 -TLSv1. A better value is all -SSLv3 -TLSv1 -TLSv1.1.
Check this file first: /etc/apache2/mods-available/ssl.conf Here is what mine looks like.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<IfModule mod_ssl.c> SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache "shmcb:/logs/ssl_stapling(32768)" </IfModule> |
If you are using LetsEncrypt, look in: /etc/letsencrypt/options-ssl-apache.conf LetsEncrypt does like to whine if you modify its config file, just take a look at the beginning of that file:
|
1 2 3 4 5 |
# This file contains important security parameters. If you modify this file # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating # this file. |
Instead, I decided that it would be better for me to disable the LetsEncrypt config file in my vhosts files.
|
1 2 |
cd /etc/apache2/sites-available/ sed -i 's/Include\ \/etc\/letsencrypt\/options-ssl-apache.conf/#NoLetsEncryptConf/' * |
The last place to look is in your vhosts file themselves.
Step 4 – Restart Apache
|
1 |
service apache2 restart |
Step 5 – Test
There are many HTTP2 testers out there. You can Google for one. Here’s a few that worked for me:
https://tools.keycdn.com/http2-test
https://tools.geekflare.com/tools/http2-test
There are also many SSL testers out there. Again, Google or use what I use:
https://www.immuniweb.com/ssl formerly https://htbridge.com/ssl/
https://www.ssllabs.com/ssltest
I am not affiliated with any of these.
Results
Your server is now using TLS 1.3 and HTTP2. It is ready for ALPN and Push too!