blog.natfan.io

Rants and ravings from a techy brit.
(Now hosted on DigitalOcean!)
Dark Mode?

HTTPS Everywhere

Posted 1 year ago.

So, you've heard about this HTTPS thingy for a while now, and your colleagues keep telling you that it's super important to the fabric of the web, but you never really listened. Now, you've decided that you want to ensure that all of the traffic that comes into your web server is encrypted. Just how the heck do you go about doing that?

Well, you'd read this article, alternatively titled "Professionals Hate How Companies Are Getting HTTPS Everywhere With These (x) Weird Steps!"

  1. As a forenote, this post relies on Powershell. Anyone who knows anything about me knows that I love Powershell, so I'm afraid that while this post was written against a box running Ubuntu 18.0.4.5 LTS box, it does require that the pwsh binary installed. You can learn more about that here. 0.1. Also, this post, while factually accurate, may not be tonally appropriate. This post wasn't written to target anyone in particular, I just think there's a fair amount of people that wouldn't know how to get started with something like this. 💜



  2. Firstly, I'm going to assume that your web servers are running apache2 or httpd. Because of course they are, it's the easiest thing to set up and it's ties in first place with nginx for most used web server software. Don't worry, we'll get to nginx later. If you're not using apache2 or httpd as your web server software, then I'm afraid this article can help you no more. You could have a look at another post and see if you like it, though. For reference, when I mention apache2 in this article, it's assumed that the httpd binary will be a perfect substitute.
    Anyways, you're going to run the following Powershell command. It will display every instance of a VirtualHost running on port 80, which is what HTTP traffic uses. To start a new shell in Powershell, simply use the pwsh command. Also, if your default sites-enabled location isn't in /etc/apache, please amend the command accordingly.
    Get-ChildItem -Path "/etc/apache2/sites-enabled/*.conf"
    | Select-Object -ExpandProperty Target
    | Get-Item Select-String -Pattern "<VirtualHost .*:80>"
    | Select-Object Pattern,Path
    



  3. Now that you've got a list of files that support that horrendously insecure protocol, HTTP, we're going to want to edit them and remove any VirtualHost blocks that listen on port 80. If you don't have any other VirtualHosts, then it's likely that that domain was only running on HTTP. Update the port, changing it from :80 to :443.



  4. For our next step, we simply want to restart the web server. We should restart instead of reload as we are changing the ports that the daemon listens on, so a reload may not fully commit our changes. In my case, a simple systemctl restart apache2 did the trick, however you may need to need to use the service apache2 restart command if your system does not support systemctl.



  5. Let's just make sure that nothing is running on port 80, shall we? Use lsof -i:80 to check for services that are running on that port. You may need to run this command with sudo as port 80 is a privileged port. If you want to know more about privileged ports (which I'm sure you don't, because that's way too advanced for this tutorial), you can check out this StackOverflow post.



  6. If anything crops up with the command you just ran, it'll likely be apache2 . I'd recommend going through your web server configuration and just making sure that nothing is running on port 80. While it is standard practice to use the sites-available area as a staging area, and using the a2ensite command to expose new sites to the web, there may still be configuration lingering somewhere, potentially in /etc/apache2/apache2.conf.



  7. Now that we've ensured that port 80 is unused, we can install nginx with a simple sudo apt install nginx. Ensure that it's enabled and started with systemctl enable nginx and systemctl start nginx, then confirm that it's purring away nicely with systemctl status nginx. Finally, you can confirm that nginx is bound to port 80 by running that lsof -i:80 command once more. If you visit your web server on port 80, you should now see a welcome message from nginx. How nice.



  8. Here's the final step, we need to modify the default nginx site config. It's usually located in /etc/nginx/sites-available/default, but have poke around if it isn't. Copy that file to /etc/nginx/sites-available/default.bak, so that we can rollback our changes if needed. Then, open /etc/nginx/sites-available/default in your favourite editor, clear it out completely, and add in the following:

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    server_name _;
    
    return 301 https://$host$request_uri;
    }
    

    What the above code does, is it binds to port 80 on both the IPv4 and IPv6 interface, listens on all hostnames that are requested of it, and redirects all of them to their HTTPS equivalent. Yes, they don't pass over any cookies or session data, but you didn't really care about any of that stuff, did you?



  9. Now we just need to restart nginx, and you should be good to go. Try going to your website over HTTP and watch it miraculously turn to HTTPS!



My my, that was a journey. We learnt so much, and now your websites are fully encrypted. Well, all of the websites hosted on that one box, anyways. ;)

Thanks for reading!

-nat