Enable HTTPS

- [Instructor] It's important to secure information traveling between clients and the server, and this is accomplished using HTTPS. HTTPS or HTTP Secure uses TLS, Transport Layer Security, to encrypt traffic between the server and the client. This used to be called SSL, and that name has stuck around in many places. In order to enable HTTPS, a web server needs a certificate. The certificate and the key associated with it are what allow the server and client to encrypt and decrypt their communications. Certificates also carry information about the name of the server and information about what organization has signed the certificate. Signing indicates whether a certificate has been vouched for by a certificate authority, in which case we say that the certificate is valid and trusted. With a valid, trusted certificate, web browsers will indicate that a site is trusted, usually with a lock icon or a green colored name. We can get a certificate in a few different ways. We can purchase a certificate from a certificate authority, which we might want to do if we host a website on the internet, or we can use a service like Let's Encrypt to generate trusted certificates for us for free. We can also create our own certificate, which browsers won't automatically trust but which will secure the information between the browser and our server. Or we can use a placeholder certificate that comes with the web server software. This is called the snakeoil certificate, and it should not be used in production, but it's a useful stand-in for a real certificate when we're getting things set up. It'll also allow communication between a browser and the server to be encrypted, but it isn't something we should rely on if we truly need to secure data. Regardless of which process we use, the changes we make to the web server are the same. So let's set our web server up with HTTPS using the snakeoil certificate to see how the process works. We've seen how to configure a virtual host, so let's dig into the template SSL virtual host that comes with the Apache installation. We can find that in /etc/apache2/sites-available/default-ssl.conf. This virtual host serves up content on port 443, the default for HTTPS, and there's a few different directives here, configuring various aspects of the encryption that we need for HTTPS. The SSL Engine directive here is what tells the server to use that module for this virtual host. And further down, we can see the path where the server can find both the certificate and the private key for the certificate. As I mentioned, Apache comes with what's called a snakeoil certificate. It's called snake oil because it looks like a genuine certificate, but it's really not. It'll provide encryption, but it's not signed or trusted, so it should never be used in production. If you get your own certificate, whether it's self-signed or from a certificate authority, you'll need to copy the files somewhere the server can find them and put the paths into the virtual host file. Or you might use a tool like CertBot from Let's Encrypt, which handles generating and rotating certificates for us. To learn more about setting up certificates, whether they're self-signed or generated by your own certificate authority or generated by a third party, take a look at our LinkedIn Learning courses about TLS and about web services. I'll stick with these basic settings here, though. This is the minimum setup for enabling an HTTPS site. There are other options we can set as well to further configure the service, like adding intermediate certificates or other certificate authorities. It can be useful to add intermediate certs and certificate authorities if your organization is set up as a certificate authority for itself. Or if you want to use a trust chain that browsers and operating systems don't ship with, you may need to tweak these settings to suit your requirements, but I'll leave them alone here. As with other virtual hosts, you can duplicate this file and use the copies to host different secure sites by adding a server name directive to have a particular virtual host respond to that name on Port 443. I haven't made any changes here, so I'll exit nano. The next thing we need to do is to enable the SSL module. To do that, I'll write a2enmod ssl. I'll also need to enable my site. To do that, I'll write a2ensite default-ssl.conf. Then I'll need to reload the Apache service for these changes to take effect. I'll type systemctl reload apache2. To allow clients to connect to our system on Port 443 and view our HTTPS site, we'll need to update the firewall. I'll type ufw allow from 10.0.2.0/24 to any app "Apache Secure." Then I'll switch to my browser and I'll navigate to my site. I'll type https://server-vm.example.com. Here, I see a security warning. Firefox recognizes that the certificate that I'm using isn't trusted. I'll click on Advanced to see some more details. And here I can see the reason that Firefox is showing me an error. I'll choose to accept the risk and continue. And here's my website. The communication between my browser and the server is encrypted now, but remember, we're using a certificate that shouldn't be used in production. To find out how to use your own certificate, check out our courses about that here on LinkedIn Learning.