HTTPS Support Notes
+++++++++++++++++++++
.. warning::
This is obsolete as we're currently using caddy for https support, which
manages certificates automatically.
Prepare for SSL Certificate
---------------------------
follow instructions at https://certbot.eff.org/instructions?ws=apache&os=snap
Get certificates from letsencrypt.com
-------------------------------------
::
certbot --apache -d {server}scoretility.com certonly
update /etc/httpd/sites-available/{server}scoretility.com.conf
ServerName members.loutilities.com
ServerAlias www.members.loutilities.com
Redirect permanent / https://members.loutilities.com/
DocumentRoot /var/www/www.members.loutilities.com
LogLevel warn
ErrorLog /var/www/www.members.loutilities.com/logs/error.log
CustomLog /var/www/www.members.loutilities.com/logs/requests.log combined
allow from all
Options +Indexes
ServerName members.loutilities.com
ServerAlias www.members.loutilities.com
ServerAdmin lking@pobox.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.members.loutilities.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.members.loutilities.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.members.loutilities.com/chain.pem
DocumentRoot /var/www/www.members.loutilities.com/members
# wsgi stuff - needs to be unique among vhosts
WSGIScriptReloading On
ProxyPass / http://proxysvr.loutilities.com:8005/
ProxyPassReverse / http://proxysvr.loutilities.com:8005/
RequestHeader set X-Forwarded-Port 443
RequestHeader set X-Forwarded-Scheme https
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
allow from all
LogLevel warn
ErrorLog /var/www/www.members.loutilities.com/logs/error.log
CustomLog /var/www/www.members.loutilities.com/logs/requests.log combined
sudo apachectl restart
Notes
-----
http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/
https://managewp.com/wordpress-ssl-settings-and-how-to-resolve-mixed-content-warnings
mixed content - see
https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
browser cache -
https://codex.wordpress.org/I_Make_Changes_and_Nothing_Happens
android trust -
https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498/2
admin vs. apache user
~~~~~~~~~~~~~~~~~~~~~
Jason Scaroni suggested I have a non-privileged apache user for
scoretility.com and sandbox.steeplechasers.org, and a privileged
(non-root) admin
One possibility is to remove scoretility and sandboxsteeps from wheel
group (i.e., no sudo for these users) and create lking user (e.g.) for
both. lking is administrative user and would be put into wheel
Not sure but it might be a good idea to have separate ssh keys for
scoretility, sandboxsteeps and loutilityadmin
For sandboxsteeps, need apache to be able to write into the document
tree. Not so sure about scoretility, but I think not.
sandboxsteeps should be added to apache group, and default file create
should be sandboxsteeps:apache
Notes
- add user -
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Step_by_Step_Guide/s1-starting-create-account.html
- useradd
- add user to group -
https://www.howtogeek.com/50787/add-a-user-to-a-group-or-second-group-on-linux/
- usermod -a -G
- change primary group for user
- usermod -g
- remove user from group -
https://unix.stackexchange.com/questions/29570/how-do-i-remove-a-user-from-a-group
- gpasswd -d
- add acl -
- http://unix.stackexchange.com/questions/115631/getting-new-files-to-inherit-group-permissions-on-linux
- sudo setfacl -Rdm g::
- remove acl - sudo setfacl -R --remove-all
- set group for directory
- http://stackoverflow.com/questions/1321168/bash-scripting-how-to-set-the-group-that-new-files-will-be-created-with
- chmod g+s
steps
^^^^^
- sudo gpasswd -d sandboxsteeps wheel # no sudo for you, one year
- sudo usermod -a -G apache sandboxsteeps # play nice with apache
- sudo usermod -g apache sandboxsteeps # now apache is primary group
- sudo usermod -a -G sandboxsteeps sandboxsteeps # add sandboxsteeps
group
- sudo chown -R apache:apache
/var/www/sandbox.steeplechasers.org/wordpress/ # apache group for
wordpress files
- sudo chown -R sandboxsteeps:apache
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/themes/steeps
# sandboxsteeps owner for steeps theme
- sudo chmod -R 700 /var/www/sandbox.steeplechasers.org/wordpress/
- sudo chmod -R g+r-x+X /var/www/sandbox.steeplechasers.org/wordpress/
- sudo chmod -R g+w
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/plugins #
apache needs write access for some directories
- sudo chmod -R g+w
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/themes
- sudo chmod -R g+w
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/upgrade
- sudo chmod -R g+w
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/uploads
- sudo chmod -R g+w
/var/www/sandbox.steeplechasers.org/wordpress/wp-content/wflogs #
wordfence plugin
- sudo chown -R sandboxsteeps:sandboxsteeps /home/sandboxsteeps
- sudo chmod -R g+s /home/sandboxsteeps
Security Tips
-------------
- apache security hardening -
http://www.anchor.com.au/hosting/dedicated/Security_Hardening_of_an_Apache_Virtual_Host
- 13 security tips - http://www.tecmint.com/apache-security-tips/
- wordpress -
- https://codex.wordpress.org/Hardening_WordPress
- https://codex.wordpress.org/Changing_File_Permissions
- http://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress
- backups - https://codex.wordpress.org/WordPress_Backups