1. sudo apt update && sudo apt install apache2
2. iptables 설정 수정
sudo vi /etc/iptables/rules.v4
-A INPUT -i ens3 -p tcp -m tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ens3 -p tcp -m tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
sudo service iptables restart
3. apache 설정 수정
sudo vi /etc/apache2/apache2.conf
ServerName localhost (뭐 도메인명 같은거 해도됨)
4. VirtualHost 설정 먼저 해주면 뒤에 인증서 생성 때 자동으로 도메인들 불러옴
sudo vi /etc/apache2/sites-available/000-default.conf
5. ssl설정 (letsencrypt)
sudo service apache2 stop
sudo apt-get install software-properties-common (생략)
sudo apt-get install certbot python3-certbot-apache
sudo certbot –apache (이후 내용은 검색 참고)
(여기서 도메인 명을 아파치 설정파일에서 자동으로 긁어오는듯. 없는 호스트네임이 있으면 오류)
여기까지 하면
/etc/apache2/sites-available/000-default-le-ssl.conf 파일 자동으로 생성됨
인증서 파일은 /etc/letsencrypt/live/ 폴더 참고
6. certbot을 통한 ssl 자동갱신
sudo certbot renew –dry-run
참고.
아래 설정은 추가적인 참고.
<Directory />
Options FollowSymLinks
AllowOverride None
#Require all denied
</Directory>
<Directory /var/www/html>
#Options Indexes FollowSymLinks
#AllowOverride None
#Require all granted
Options Indexes FollowSymLinks IncludesNoEXEC
AllowOverride all
Require all granted
Order allow,deny
Allow from all
Deny from env=NoAccess
DirectoryIndex index.html index.php
</Directory>
DirectoryIndex index.html index.php
<FilesMatch “^.ht”>
Require all denied
</FilesMatch>
# deny file, folder start with dot
<DirectoryMatch “^.|/.”>
Require all denied
</DirectoryMatch>
# deny (log file, binary, certificate, shell script, sql dump file) access.
<FilesMatch “.(?i:log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock|gitignore)$”>
Require all denied
</FilesMatch>
# deny access.
<FilesMatch “(?i:composer.json|contributing.md|license.txt|readme.rst|readme.md|readme.txt|copyright|artisan|gulpfile.js|package.json|phpunit.xml|access_log|error_log|gruntfile.js|bower.json|changelog.md|console|legalnotice|license|security.md|privacy.md)$”>
Require all denied
</FilesMatch>
# Allow Lets Encrypt Domain Validation Program
<DirectoryMatch “.well-known/acme-challenge/”>
Require all granted
</DirectoryMatch>
# Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
<DirectoryMatch “/(uploads|default/files|data|wp-content/themes)/”>
<FilesMatch “.+.php$”>
Require all denied
</FilesMatch>
</DirectoryMatch>
<Files ~ “^.ht”>
Order allow,deny
Deny from all
</Files>