Notes on configuring Apache mod

* * * * *

Notes on configuring Apache mod_md

I've been tweaking my Apache configuration [1] for the past two days [2],
trying to figure out what I need and don't need, and these are just some
notes I've collected on the process. I'm using mod_md [3] for managing the
secure certificates, and there isn't much out on the Intarwebs about how a
configuratin for a website should look like. I can find plenty of pages that
basically regurgitates the Apache documentation for mod_md, but nothing on
how it all goes together. So here's an annotated version of a configuration
for one of my less important sites:

-----[ ApacheConf ]-----
<MDomainSet www.flummux.org>
MDCertificateAgreement accepted
MDContactEmail [email protected]
MDMember flummux.org
MDRequireHttps temporary
</MDomainSet>
-----[ END OF LINE ]-----

The required stuff. I've found that using MDomainSet is much cleaner than
MDomain as I have multiple sites that I want to keep separated, certificate
wise. I'm old-school when it comes to naming, so I like using the “www”
prefix and prefer that to be part of the canonical name for my domains. I
also support the plain domain name, but only to redirect to the “www” version
of the site. If you are more hipster than I, then just reverse the domain
names. I won't judge.

Given the push that “Encrypt All The Things!” has had, especially from
Google, I'm expecting any month now for Google Chrome (that has, what? An 85%
usage rate on the Internet?) to enable the Big Scary Error Messages on non-
encrypted web requests, so I might as well go ahead and start pushing the
secure versions of my sites (sigh—I really hate this bit, but I think I'm in
the minority on this), thus the MDRequireHttps setting. I tried using
permanent on one of my test domains and I screwed myself over when I flubbed
the mod_md configuration—I can't even reach the site from my primary browser
as it is now stuck for the next six months trying to reach the secure version
which isn't running. Yes, I could fix this by cleaning out my cache, but
that's pretty much an “all-or-nothing” option, and for a domain I almost
never use, I can live with that for now. I also flubbed the configuration for
that domain so bad, that I have to wait for a month before I try obtaining a
certificate again.

Sigh.

-----[ ApacheConf ]-----
<VirtualHost 71.19.142.20:80>
ServerName flummux.org
Redirect permanent / http://www.flummux.org/
Protocols h2 h2c http/1.1 acme-tls/1
</VirtualHost>

<VirtualHost 71.19.142.20:80>
ServerName www.flummux.org
Protocols h2 h2c http/1.1 acme-tls/1
</VirtualHost>
-----[ END OF LINE ]-----

Because I'm doing the MDRequireHttps directive, I've found that this is all I
need for the non-secure settings, which also means I don't need to duplicate
the actual server settings twice, once for the non-secure version, and again
for the secure version. The first block is there to redirect http://domain
requests to http://www.domain requests. I'm not redirecting directly to
https: here, as the Apache documentation warns that the certificate renewal
might now work [4]. And because I want the certificate renewal to work, I
added acme-tls/1 to the list of protocols supported.

-----[ ApacheConf ]-----
<VirtualHost 71.19.142.20:443>
SSLEngine On
ServerName flummux.org
Redirect permanent / https://www.flummux.org/
Protocols h2 h2c http/1.1 acme-tls/1
</VirtualHost>
-----[ END OF LINE ]-----

This is just to redirect https://domain requests to https://www.domain
requests. I'm not sure if I really need the acme-tls/1 setting here, but I'm
not taking a chance with the certificate renewal. It's not clear in the
Apache documentation what would happen, and given how long I have to wait if
it messes up, I'm not willing to test it.

-----[ ApacheConf ]-----
<VirtualHost 71.19.142.20:443>
SSLEngine on
ServerName www.flummux.org
ServerAdmin [email protected]
DocumentRoot /home/spc/web/sites/www.flummux.org/htdocs
AddHandler server-parsed .shtml
AddOutputFilter INCLUDES .shtml
AddOutputFilterByType DEFLATE text/html text/plain text/xml
Protocols h2 h2c http/1.1 acme-tls/1
CustomLog /home/spc/web/logs/www.flummux.org combined-deflate
FileETag MTime Size
AddDefaultCharset UTF-8
DirectoryIndex index.cgi

SetEnv LUA_PATH "/home/spc/web/sites/www.flummux.org/lua/?.lua"
SetEnv LUA_CPATH "/home/spc/web/sites/www.flummux.org/lib/?.so"
Header set Content-Security-Policy "style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src 'self';"

ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "modification plus 1 week"

<Directory /home/spc/web/sites/www.flummux.org/htdocs>
Options All
AllowOverride None
Require all granted
</Directory>

<Directory /home/spc/web/sites/www.flummux.org/htdocs/errors>
Options -Indexes
</Directory>

ErrorDocument 404 /errors/404.shtml
</VirtualHost>
-----[ END OF LINE ]-----

And we finally get to the configuration for the site itself. Not much to say
about this, except that the “Content-Security-Policy [5]” header is annoying
to get right, and I'm not sure how much benefit it brings, but hey, this is a
test site so I'll have to see how it goes.

So that's pretty much how I'm setting up each site I host. It's pretty
straightforward, except for the sheer terror that I've made a typo and will
have to wait a month before trying to obtain a secure certifcate again. You
have been warned.

[1] https://httpd.apache.org/docs/2.4/
[2] gopher://gopher.conman.org/0Phlog:2022/12/04.1
[3] https://httpd.apache.org/docs/2.4/mod/mod_md.html
[4] https://httpd.apache.org/docs/2.4/mod/mod_md.html#mdrequirehttps
[5] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Email author at [email protected]