====== Configure TLS Security ======

**General Information**

Configuring TLS security (certificates). 

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
  * server2.example.com (192.168.1.151) -> Install Apache Web Server here

**Previous Sections Completed**
  * [[linux_wiki:network_services_overview_apache_web_server|Install/Configure]]
    * Except leave listening on port 80/tcp
  * [[linux_wiki:configure_a_virtual_host|Virtual Host Config]]

----

====== Create a Cert ======

Install require packages
<code bash>
yum install mod_ssl openssl
</code>

\\
Create a key and certificate with openssl - check syntax
<code bash>
cat /etc/pki/tls/certs/make-dummy-cert | grep answer
</code>
  * This line contains the syntax you are looking for: answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null

\\
Create a key and certificate with openssl
<code bash>
openssl req -newkey rsa:2048 -keyout /etc/pki/tls/bluesite.key -nodes -x509 -days 365 -out /etc/pki/tls/bluesite.crt
</code>

\\
Prompts from the openssl cert create
<code bash>
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Here
Locality Name (eg, city) [Default City]:Right
Organization Name (eg, company) [Default Company Ltd]:Ur Co
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:bluesite.example.com
Email Address []:
</code>
  * For the purposes of the lab, the 'Common Name' (website name) is really the only important part.

----

====== Configuring a Site with a TLS Certificate ======

Edit virtual host file and add a tcp/443 listen entry for bluesite
<code bash>
vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:443>
  ServerAdmin admin@bluesite.example.com
  DocumentRoot /var/www/html/bluesite
  ServerName bluesite.example.com

  SSLEngine On
  SSLCertificateFile /etc/pki/tls/bluesite.crt
  SSLCertificateKeyFile /etc/pki/tls/bluesite.key

  ErrorLog logs/bluesite-ssl-error_log
  CustomLog logs/blusite-ssl-access_log combined
</VirtualHost>
</code>

\\
Allow https through the firewall
<code bash>
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
</code>

\\
Restart httpd
<code bash>
systemctl restart httpd
</code>

\\
Visit the secure site
<code bash>
https://bluesite.example.com
</code>

----

====== Redirect to TLS ======

Redirect http to https.

\\
Option 1: Using Redirect (**Apache documentation recommends this method**)
<code bash>
<VirtualHost *:80>
  ServerName bluesite.example.com

  Redirect / https://bluesite.example.com/
</VirtualHost>
</code>

\\
Option 2: Using mod_rewrite
<code bash>
<VirtualHost *:80>
  ServerName bluesite.example.com
  
  RewriteEngine on
  RewriteRule ^(/.*)$  https://%{HTTP_POST}$1 [redirect=301]
</VirtualHost>
</code>

----