George Mason University Antonin Scalia Law School

Installing an SSL Certificate on Apache

DigiCert:

Godaddy:

Guide:

Once a certificate and key have been purchased and generated, you will need to upload the files to your server.

If FTP is enabled on the server I would recommend Filezilla or CyberDuck FTP Clients to upload your files.

Once the files are uploaded, SSH into the server and sudo mv the files into the /etc/ssl/ directory.

Next, setup your virtual host for port 443. Before you get started, make sure your server has an SSL Engine. If not, you may need to install mod_ssl. To run the mod_ssl install command use the following code:

yum install mod_ssl

Now you will be able to setup the virtual host by configuring the Apache mod_ssl module. On a standard install, the file may be located at /etc/httpd/conf.d/ssl.conf.

The default file will have a number of instructions interspersed between lines of code. The most important lines of code will need to be edited with your server and sites information. See below: (be sure to remove quote marks when entering your information)



...
SSLEngine on
SSLCertificateFile "/etc/ssl/signed certificate"
SSLCertificateChainFile "/etc/ssl/intermediate_certificate"
SSLCertificateKeyFile "/etc/ssl/private/key"

# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile /path/to/ca_certs_for_client_authentication

...

Test your Apache configuration using the following command:

apachectl configtest

If no errors have occurred, restart Apache to complete the SSL configuration. Use the following command:


apachectl stop
apachectl start

Your website will now have a green padlock when using the HTTPS protocol. To redirect all non secure traffic automatically to HTTPS, edit your site’s non-secure port 80 Virtual Host.

On a standard install, this file would be found in /etc/httpd/. Edit the virtual host using the following (be sure to remove quote marks):


ServerName "Site's url (don't include protocol) ex: mysite.example.com"
DocumentRoot "Site files directory ex: /var/www/html/site"
Redirect permanent /secure "Site's url with new secure protocol https://mysite.example.com/"

Restart Apache and you’re all set.

Simple Steps to Secure WordPress Site

  1. Keep WordPress updated
  2. Keep plugins updated
  3. Only use trusted plugins
  4. Only use trusted themes
  5. Choose a secure password
  6. No “admin” username
  7. Decent hosting
  8. Keep regular backups
  9. Restrict login attempts (use iThemes Security)
  10. Switch on SSL encryption
  11. Change database prefix
  12. Two-factor authentication (use Google Authenticator)
  13. Monitor what’s happening
  14. Block access to system files

    # protect files
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files error_log>
    Order allow,deny
    Deny from all
    </files>

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

  15. Build your own firewall
  16. Hide .htaccess file
    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow, deny
    deny from all
    satisfy all
    </Files>
  17. Protect WP-Admin area
  18. Block PHP in uploads folder
    <Files *.php> Deny from All </Files>
  19. Tighten PHP configuration
    ; Disable allow_url_fopen in php.ini for security reasons
    allow_url_fopen = Off
    ; Disable allow_url_include in php.ini for security reasons
    allow_url_include = Off
    ; Disable display_errors in php.ini for security reasons
    display_errors = Off
    log_errors = On
  20. Create your own encryption keys
  21. Folder permissions

Source: Primary Image

OpenSSL Update

Instructions on how to secure your server against the Heartbleed vulnerability:

  1. Edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Add the # sign to this URL: mirrorlist=http://... (#mirrorlist=http://...)
    • Delete # sign to this URL: #baseurl=http://... (baseurl=http://...)
  2. yum clean all
  3. yum update openssl
  4. openssl version -a (Confirm the update: exemple: 'built on: Tue Apr 8 02:39:29 UTC 2014')
  5. rpm -q --changelog openssl | head (fix can be confirmed)
  6. Restart Apache
  7. Re-edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Delete the # sign to this URL: #mirrorlist=http://... (mirrorlist=http://...)
    • Add # sign to this URL: baseurl=http://... (#baseurl=http://...)

Source: GoDaddy.

Re-Keying an SSL Certificate in GoDaddy.

Turning off SSL engine in Apache for CentOS

  1. vi /etc/httpd/conf.d/ssl.conf (Edit ssl.conf)
  2. SSLEngine off (Find a line SSLEngine and turn it to off)
  3. service httpd restart (Restart the Httpd Services)

Source: Linux Toolkits