Creating a Home Server Part 7: How to Add SSL to an Ubuntu 14.04 LAMP Web Server

With increased concerns regarding internet security, adding additional preventative measures to publicly accessible computers like the one in this Home Server Series is an almost automatic inclusion. Find out how to create a self-signed SSL certificate and force all traffic to be redirected to secure HTTPS from unsecured HTTP. A self-signed certificate uses the same encryption as a certificate generated by a signing authority like StartSSL. The main difference is that certificates from signing authorities are verified by that third party and will not throw a warning when used. Since self-signed certificates do not have third party verification, each time the secured site is visited, a warning will appear in the browser.

Video Tutorial

Prerequisites

Create a Self-Signed SSL Certificate

  1. Ensure all software packages are up to date. In ‘Terminal,’ type the following:
    sudo apt-get update && sudo apt-get upgrade -fy && sudo apt-get dist-upgrade -fy

    NOTE: If you are using a desktop version, simply run the software updater.
    01-softupdate

  2. Create a new folder directory to store the SSL certificate and create the SSL certificate,
    sudo mkdir /etc/apache2/ssl
    sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

    NOTE: The SSL certificate will be valid for two years (hence the 730 days). After which a new certificate will need to be made.
    NOTE: If the above code outputs an error, ensure that openssl is installed:

    sudo apt-get install openssl

Configure Apache Web Server

  1. Open default SSL configuration file:
    sudo nano /etc/apache2/sites-available/default-ssl.conf

    NOTE: code is found in previous image (#3)

  2. Scroll down with the arrow keyboard keys until the lines containing SSLCertificateFile and SSLCertificateKeyFile. Modify the file locations with the new SSL certificate locations.
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    04-ChangeApache

  3. Save the configuration file using the keyboard command “Ctr”+”O” and exit the editor with “Ctr”+”X”.
  4. Enable the Apache SSL mod:
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    02-enableSSL

  5. Enable the default SSL site:
    sudo a2ensite default-ssl
    sudo service apache2 restart

    05-enableSSLsite

Enable HTTP to HTTPS redirect in Apache

  1. Open the Apache configuration file:
    sudo nano /etc/apache2/apache2.conf

    10-Redirect

  2. Scroll to the bottom of the file and add the following lines:
    # HTTP to HTTPS Redirect
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    11-AddCode

  3. Save the configuration file using the keyboard command “Ctr”+”O” and exit the editor with “Ctr”+”X”.
  4. Enable the Apache rewrite mod:
    sudo a2enmod rewrite
    sudo service apache2 restart

    12-EnableRewrite

Add the Self-Signed Certificate to Firefox

  1. Open FireFox and navigate to your website using the https protocol.
    06-TestSite
  2. Click on the “Add Exception” button at the bottom of the “This Connection is Untrusted” page.
    07-Untrusted
  3. Click on the “Confirm Security Exception” button.
    08-confirmException

If Firefox redirects to the correct page, the SSL certificate installation is successful.
09-ItWorks!

Setup Port Forward the Router

The final step is to forward the appropriate port on your router for SSL, port 443. In Terminal, use the command “ifconfig” to find the IP address of the computer and  create a port forward rule for port 443 to the appropriate IP address on your router.
13-IPaddress

Closing Words

While there will never be a perfect solution for internet security, simple precautions such as adding SSL encryption can reduce the likelihood of online attacks. Other considerations for managing online risk includes separating the online computer from the rest of the network. Routers often have DMZ features which will perform this function. Join us next time as we conclude the Home Server Series.


Support Us!

Thank you for reading this article. If you found it useful, please consider buying us a coffee, subscribing to the YouTube Channel, and/or changing your Amazon bookmark to our affiliate link (CAN, USA, UK). We do this out of general interests and to help others. Thanks!