Wednesday, Debtember 07, 2022
Notes on an overheard conversation about locking the keys in the car
“Finally! I'm home!”
“Yes you are!”
“And you didn't answer your phone.”
“You didn't call!”
“Yes I did.”
“Oh! I see I did receive a call, but it was from a number not on my contact list. You know I don't answer those.”
“I was hoping you'd make an exception.”
“It's hard to make an exception when I don't know who is calling.”
“Sigh. I locked my keys in my car, and I had to walk home from Panera Bread.”
“Oh dear … ”
“Now I have to locate my spare key.”
“Oh, you mean this key.”
“Yes. Could you please drive me to my car now?”
Notes on configuring Apache mod_md
I've been tweaking my Apache configuration for the past two days,
trying to figure out what I need and don't need,
and these are just some notes I've collected on the process.
I'm using mod_md for managing the secure certificates,
and there isn't much out on the Intarwebs about how a configuratin for a website should look like.
I can find plenty of pages that basically regurgitates the Apache documentation for mod_md,
but nothing on how it all goes together.
So here's an annotated version of a configuration for one of my less important sites:
<MDomainSet www.flummux.org> MDCertificateAgreement accepted MDContactEmail sean@conman.org MDMember flummux.org MDRequireHttps temporary </MDomainSet>
The required stuff.
I've found that using MDomainSet is much cleaner than MDomain as I have multiple sites that I want to keep separated,
certificate wise.
I'm old-school when it comes to naming,
so I like using the “www” prefix and prefer that to be part of the canonical name for my domains.
I also support the plain domain name,
but only to redirect to the “www” version of the site.
If you are more hipster than I,
then just reverse the domain names.
I won't judge.
Given the push that “Encrypt All The Things!” has had,
especially from Google,
I'm expecting any month now for Google Chrome
(that has,
what?
An 85% usage rate on the Internet?)
to enable the Big Scary Error Messages on non-encrypted web requests,
so I might as well go ahead and start pushing the secure versions of my sites
(sigh—I really hate this bit,
but I think I'm in the minority on this),
thus the MDRequireHttps setting.
I tried using permanent on one of my test domains and I screwed myself over when I flubbed the mod_md configuration—I can't even reach the site from my primary browser as it is now stuck for the next six months trying to reach the secure version which isn't running.
Yes,
I could fix this by cleaning out my cache,
but that's pretty much an “all-or-nothing” option,
and for a domain I almost never use,
I can live with that for now.
I also flubbed the configuration for that domain so bad,
that I have to wait for a month before I try obtaining a certificate again.
Sigh.
<VirtualHost 71.19.142.20:80> ServerName flummux.org Redirect permanent / http://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost> <VirtualHost 71.19.142.20:80> ServerName www.flummux.org Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
Because I'm doing the MDRequireHttps directive,
I've found that this is all I need for the non-secure settings,
which also means I don't need to duplicate the actual server settings twice,
once for the non-secure version,
and again for the secure version.
The first block is there to redirect http://domain requests to http://www.domain requests.
I'm not redirecting directly to https: here,
as the Apache documentation warns that the certificate renewal might now work.
And because I want the certificate renewal to work,
I added acme-tls/1 to the list of protocols supported.
<VirtualHost 71.19.142.20:443> SSLEngine On ServerName flummux.org Redirect permanent / https://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
This is just to redirect https://domain requests to https://www.domain requests.
I'm not sure if I really need the acme-tls/1 setting here,
but I'm not taking a chance with the certificate renewal.
It's not clear in the Apache documentation what would happen,
and given how long I have to wait if it messes up,
I'm not willing to test it.
<VirtualHost 71.19.142.20:443>
SSLEngine on
ServerName www.flummux.org
ServerAdmin sean@conman.org
DocumentRoot /home/spc/web/sites/www.flummux.org/htdocs
AddHandler server-parsed .shtml
AddOutputFilter INCLUDES .shtml
AddOutputFilterByType DEFLATE text/html text/plain text/xml
Protocols h2 h2c http/1.1 acme-tls/1
CustomLog /home/spc/web/logs/www.flummux.org combined-deflate
FileETag MTime Size
AddDefaultCharset UTF-8
DirectoryIndex index.cgi
SetEnv LUA_PATH "/home/spc/web/sites/www.flummux.org/lua/?.lua"
SetEnv LUA_CPATH "/home/spc/web/sites/www.flummux.org/lib/?.so"
Header set Content-Security-Policy "style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src 'self';"
ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "modification plus 1 week"
<Directory /home/spc/web/sites/www.flummux.org/htdocs>
Options All
AllowOverride None
Require all granted
</Directory>
<Directory /home/spc/web/sites/www.flummux.org/htdocs/errors>
Options -Indexes
</Directory>
ErrorDocument 404 /errors/404.shtml
</VirtualHost>
And we finally get to the configuration for the site itself. Not much to say about this, except that the “Content-Security-Policy” header is annoying to get right, and I'm not sure how much benefit it brings, but hey, this is a test site so I'll have to see how it goes.
So that's pretty much how I'm setting up each site I host. It's pretty straightforward, except for the sheer terror that I've made a typo and will have to wait a month before trying to obtain a secure certifcate again. You have been warned.
