Wednesday, Debtember 07, 2022
Notes on configuring Apache mod_md
I've been tweaking my Apache configuration for the past two days,
trying to figure out what I need and don't need,
and these are just some notes I've collected on the process.
mod_md for managing the secure certificates,
and there isn't much out on the Intarwebs about how a configuratin for a website should look like.
I can find plenty of pages that basically regurgitates the Apache documentation for
but nothing on how it all goes together.
So here's an annotated version of a configuration for one of my less important sites:
<MDomainSet www.flummux.org> MDCertificateAgreement accepted MDContactEmail firstname.lastname@example.org MDMember flummux.org MDRequireHttps temporary </MDomainSet>
The required stuff.
I've found that using
MDomainSet is much cleaner than
MDomain as I have multiple sites that I want to keep separated,
I'm old-school when it comes to naming,
so I like using the “www” prefix and prefer that to be part of the canonical name for my domains.
I also support the plain domain name,
but only to redirect to the “www” version of the site.
If you are more hipster than I,
then just reverse the domain names.
I won't judge.
Given the push that “Encrypt All The Things!” has had,
especially from Google,
I'm expecting any month now for Google Chrome
An 85% usage rate on the Internet?)
to enable the Big Scary Error Messages on non-encrypted web requests,
so I might as well go ahead and start pushing the secure versions of my sites
(sigh—I really hate this bit,
but I think I'm in the minority on this),
I tried using
permanent on one of my test domains and I screwed myself over when I flubbed the
mod_md configuration—I can't even reach the site from my primary browser as it is now stuck for the next six months trying to reach the secure version which isn't running.
I could fix this by cleaning out my cache,
but that's pretty much an “all-or-nothing” option,
and for a domain I almost never use,
I can live with that for now.
I also flubbed the configuration for that domain so bad,
that I have to wait for a month before I try obtaining a certificate again.
<VirtualHost 126.96.36.199:80> ServerName flummux.org Redirect permanent / http://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost> <VirtualHost 188.8.131.52:80> ServerName www.flummux.org Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
Because I'm doing the
I've found that this is all I need for the non-secure settings,
which also means I don't need to duplicate the actual server settings twice,
once for the non-secure version,
and again for the secure version.
The first block is there to redirect
http://domain requests to
I'm not redirecting directly to
as the Apache documentation warns that the certificate renewal might now work.
And because I want the certificate renewal to work,
acme-tls/1 to the list of protocols supported.
<VirtualHost 184.108.40.206:443> SSLEngine On ServerName flummux.org Redirect permanent / https://www.flummux.org/ Protocols h2 h2c http/1.1 acme-tls/1 </VirtualHost>
This is just to redirect
https://domain requests to
I'm not sure if I really need the
acme-tls/1 setting here,
but I'm not taking a chance with the certificate renewal.
It's not clear in the Apache documentation what would happen,
and given how long I have to wait if it messes up,
I'm not willing to test it.
<VirtualHost 220.127.116.11:443> SSLEngine on ServerName www.flummux.org ServerAdmin email@example.com DocumentRoot /home/spc/web/sites/www.flummux.org/htdocs AddHandler server-parsed .shtml AddOutputFilter INCLUDES .shtml AddOutputFilterByType DEFLATE text/html text/plain text/xml Protocols h2 h2c http/1.1 acme-tls/1 CustomLog /home/spc/web/logs/www.flummux.org combined-deflate FileETag MTime Size AddDefaultCharset UTF-8 DirectoryIndex index.cgi SetEnv LUA_PATH "/home/spc/web/sites/www.flummux.org/lua/?.lua" SetEnv LUA_CPATH "/home/spc/web/sites/www.flummux.org/lib/?.so" Header set Content-Security-Policy "style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src 'self';" ExpiresActive On ExpiresDefault "access plus 1 month" ExpiresByType text/html "modification plus 1 week" <Directory /home/spc/web/sites/www.flummux.org/htdocs> Options All AllowOverride None Require all granted </Directory> <Directory /home/spc/web/sites/www.flummux.org/htdocs/errors> Options -Indexes </Directory> ErrorDocument 404 /errors/404.shtml </VirtualHost>
And we finally get to the configuration for the site itself. Not much to say about this, except that the “Content-Security-Policy” header is annoying to get right, and I'm not sure how much benefit it brings, but hey, this is a test site so I'll have to see how it goes.
So that's pretty much how I'm setting up each site I host. It's pretty straightforward, except for the sheer terror that I've made a typo and will have to wait a month before trying to obtain a secure certifcate again. You have been warned.