Last week, I wrote a post (article here) on how to set up an Apache web server on Google Cloud Platform. This week, I'm going to go more in depth on how to add the SSL protocol to the server. In short, SSL provides an extra layer of security than a website using just HTTP. In fact, this protocol is called HTTPS where the "S" stands for secure. First, we'll take a look at what SSL is and why it is important.
What is SSL?
SSL (or HTTPS) is an internet protocol that provides security in two ways. First, it encrypts data transferred during typical website use. Simply, encryption scrambles the transferred data into something that can only be read by someone possessing an encryption key. Without encryption, information transferred across the internet can be read a simple text, but with encryption, this data can only be read by using the encryption key. For instance, someone on the same WiFi network as you could read into the web requests you are making with your computer. This is fairly harmless for simple Google searches but can get very scary when a bank account or credit card enters the mix. Encryption makes it so that the "bad guy" who steals your web request information only sees a bunch of jumbled information that makes no sense. And since he/she does not have the encryption key, this information is totally useless.
SSL also validates the website or company by using SSL certificates. Certificates are only distributed by Certificate Authorities (CA's) which validate the websites. These CA's are institutions that are responsible for making sure websites do what they say they do and verifying that they are completely legitimate. Upon visiting a website, the browser requests a certificate for that domain. If a valid certificate exists, the CA sends this certificate back to the browser and the user goes on without any interruption. If no certificate exists, the browser alerts the user that the website is not secure so that the user knows to stay away.
Where can we get a certificate?
Certificates can be expensive as CA's work very hard to maintain their authority. As suspected, we won't be using these expensive CA's. SSL For Free and Let's Encrypt offer free options for SSL certificates. In this blog, I'm going to work with using Let's Encrypt as I found it the most easy to use.
Getting a Certificate
To get a certificate, head on over to Let's Encrypt. Reading through this is helpful in understanding how Let's Encrypt works; however, it ultimately directs you over to a service called Certbot. Following this link to Certbot, input your software and system. Here, we are going to use Apache and Debian 9 (stretch).
After entering this information, you should be guided to a page with installation instructions on setting up your server with Certbot. Below are the instructions specifically for Apache on Debian 9 (stretch).
Follow the instructions using your shell terminal on your Google Cloud Platform virtual machine. The easiest method is to follow the instructions to install Certbot in a single step and not using the certificate only approach.
After you finish, make sure to restart your server by running:
```sudo systemctl restart apache2
You should now have SSL enabled on your Apache server with a valid certificate. Navigate to your website and check.
Troubleshooting
If your website does not have SSL enabled (https:// in the address bar), we should validate the Apache configuration.
First, let's make sure SSL is enabled for Apache. In the "/etc/apache2/sites-enabled" directory, you should find a file called "default-ssl.conf". In this file, verify that "SSLEngine on" exists. If you find "SSLEngine off", change it to "SSLEnging on".
Towards the end of the "default-ssl.conf" file, verify that there is a line similar to "SSLCertificateFile /etc/letsencrypt/live/...". If this line does not exist, try running the Certbot instructions again.
Redirecting regular HTTP requests to SSL
The last thing we should do is redirect any requests from port 80 (HTTP) to port 443 (SSL). To do this, head into the "000-default.conf" file inside the "/etc/apache2/sites-enabled" directory. Here, comment out everything with number signs (#) and enter the following code:
<VirtualHost *:80>
ServerName [website address without http]
Redirect permanent / https://[website address without http]
</VirtualHost>
Here "website address without http" simply means disregard the http before the website address. For example, http://google.com would be written as google.com. For my particular website, the configuration is as follows:
<VirtualHost *:80>
ServerName brandonmichaelbrown.com
Redirect permanent / https://brandonmichaelbrown.com
</VirtualHost>
What is happening here? Well I'm glad you asked.
Here, we are configuring Apache to redirect any requests from http://[website] (port 80) to https://[website] (port 443). This is redirecting any non-SSL traffic to our new SSL host. The "permanent" keyword is simply a type of redirect. Since we do not care to ever use the http:// address, we are configuring this as a permanent redirect. You can read more about the permanent and temporary redirects here.
Conclusion
I hope you were able to transform your website into a new and refined SSL certified site. Good luck and happy programming!
Top comments (0)