HTTPS Support Notes

Prepare for SSL Certificate

  • sudo yum install python-certbot-apache

Get certificates from

  • certbot –apache -d {server} certonly

  • update /etc/httpd/sites-available/{server}

<VirtualHost *:80>

ServerName {server}

Redirect permanent / https://{server}


<VirtualHost *:443>


ServerName {server}

[for production



SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/{server}

SSLCertificateKeyFile /etc/letsencrypt/live/{server}

SSLCertificateChainFile /etc/letsencrypt/live/{server}

DocumentRoot /var/www/{server}

<Directory />

Options FollowSymLinks

AllowOverride None


<Directory /var/www/{server}>

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all


LogLevel warn

ErrorLog /var/www/{server}

CustomLog /var/www/{server} combined


  • sudo apachectl restart


mixed content - see

browser cache -

android trust -

admin vs. apache user

Jason Scaroni suggested I have a non-privileged apache user for and, and a privileged (non-root) admin

One possibility is to remove scoretility and sandboxsteeps from wheel group (i.e., no sudo for these users) and create lking user (e.g.) for both. lking is administrative user and would be put into wheel

Not sure but it might be a good idea to have separate ssh keys for scoretility, sandboxsteeps and loutilityadmin

For sandboxsteeps, need apache to be able to write into the document tree. Not so sure about scoretility, but I think not.

sandboxsteeps should be added to apache group, and default file create should be sandboxsteeps:apache



  • sudo gpasswd -d sandboxsteeps wheel # no sudo for you, one year

  • sudo usermod -a -G apache sandboxsteeps # play nice with apache

  • sudo usermod -g apache sandboxsteeps # now apache is primary group

  • sudo usermod -a -G sandboxsteeps sandboxsteeps # add sandboxsteeps


  • sudo chown -R apache:apache

    /var/www/ # apache group for wordpress files

  • sudo chown -R sandboxsteeps:apache

    /var/www/ # sandboxsteeps owner for steeps theme

  • sudo chmod -R 700 /var/www/

  • sudo chmod -R g+r-x+X /var/www/

  • sudo chmod -R g+w

    /var/www/ # apache needs write access for some directories

  • sudo chmod -R g+w


  • sudo chmod -R g+w


  • sudo chmod -R g+w


  • sudo chmod -R g+w

    /var/www/ # wordfence plugin

  • sudo chown -R sandboxsteeps:sandboxsteeps /home/sandboxsteeps

  • sudo chmod -R g+s /home/sandboxsteeps

Security Tips