adagios
adagios copied to clipboard
opinkerfi
Enable TLS support for adagios.org
I suggest
- Let's Encrypt EFF's Certbot
- Strong TLS security (Apache or Nginx)
- Permanent redirect from HTTP to HTTPS:
<VirtualHost *:80>
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R=301,]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
</VirtualHost>
- Make sure the Let's Encrypt certs renew automatically
- Service and Timer Units for example, if certbot dosen't set up automatic renewal
-
certbot-renew.service -
certbot-renew.timer
[Unit]
Description=Certbot renew
[Service]
#httpd on rhel
ExecStart=/bin/certbot renew --pre-hook "/bin/systemctl stop httpd" --post-hook "/bin/systemctl start httpd"
#apache on deb
#ExecStart=/bin/certbot renew --pre-hook "/bin/systemctl stop apache2" --post-hook "/bin/systemctl start apache2"
#nginx
#ExecStart=/bin/certbot renew --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"
[Install]
WantedBy=multi-user.target
[Unit]
Description=Certbot renew daily
[Timer]
OnCalendar=daily
[Install]
WantedBy=timers.target
To enable and start:
systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer
- Monitor certificate expiry and HTTPS functionality of website
