HSTS, which stands for “HTTP Strict Transport Security,” is a web security policy mechanism that can be used to secure HTTPS websites against downgrade attacks. HSTS prevents your web browser from accessing the website over non-HTTPS connections.
Some websites contain pages that serve requests over HTTP. To avoid the usage of HTTP protocol in such cases, the HSTS header was introduced. It forces your website to redirect URLs from HTTP to HTTPS.
In this post, we will explain how to enable HTTP Strict Transport Security (HSTS) for Apache on Oracle Linux 8.
Prerequisites
- A fresh Oracle Linux 8 server
- A valid domain name pointed with your server
- A root password configured on your server
Step 1 – Install and Configure Apache
Before starting, you will need to install the Apache web server and create a virtual host configuration file to host a website.
First, install the Apache web server with the following command:
dnf install httpd -y
Once the installation is completed, start and enable the Apache service:
systemctl start httpd systemctl enable httpd
Next, create a new apache virtual host configuration file for domain test.linuxbuz.com.
nano /etc/httpd/conf.d/test.conf
Add the following configurations:
<VirtualHost *:80> ServerName test.linuxbuz.com ServerAdmin [email protected] DocumentRoot /var/www/html/ DirectoryIndex index.html </VirtualHost>
Save and close the file, then restart Apache to apply the changes:
systemctl restart httpd
Step 2 – Secure Apache with Let’s Encrypt SSL
Next, you will need to install the Certbot client to secure your website with SSL. You can install the Certbot client for Apache with the following command:
dnf install epel-release -y dnf install certbot python3-certbot-apache -y
Once the installation is completed, run the following command to generate self-signed certificates:
/usr/libexec/httpd-ssl-gencerts
Next, run the following command to install Let’s Encrypt SSL for your website test.linuxbuz.com.
certbot --apache -d test.linuxbuz.com
You will be asked to provide your email and accept the terms of service:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Requesting a certificate for test.linuxbuz.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/test.linuxbuz.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/test.linuxbuz.com/privkey.pem This certificate expires on 2022-11-21. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for test.linuxbuz.com to /etc/httpd/conf.d/test-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://test.linuxbuz.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your website test.linuxbuz.com is now secured with Let’s Encrypt SSL.
Step 3 – Enable HSTS Header
Next, you will need to activate the HSTS header within your website virtual host configuration file.
To do so, open your website virtual host configuration file:
nano /etc/httpd/conf.d/test-le-ssl.conf
Add the following line below the first line:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Save and close the file, then restart the Apache service to apply the changes.
systemctl restart httpd
Step 4 – Verify HSTS Header
Your website is now configured with HSTS header. Next, you will need to verify whether the HSTS header is activated or not.
You can verify it with the following command:
curl -s -D- https://test.linuxbuz.com/ | grep -i Strict
If everything is fine, you should get the following output:
Strict-Transport-Security: max-age=31536000; includeSubDomains
You can also verify it using the URL https://www.ssllabs.com/ssltest/index.html.
Conclusion
In the above tutorial, we explained how to enable the HSTS header for Apache on Oracle Linux 8. Your website is now secured with HSTS, and it can be accessed only through HTTPS protocol. Give HSTS a try on VPS hosting from Atlantic.Net!
