🔐 SSL/TLS Configuration – Apache HTTPS Guide

Secure your site with SSL/TLS to encrypt traffic, build trust, and boost SEO! 🚀

💭 What is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that encrypt web traffic.
Modern servers always use TLS (even when we say "SSL"). 🔒
Apache uses mod_ssl (backed by OpenSSL) to manage TLS encryption.

✅ Why Enable SSL/TLS?

🔐 Encrypts all user data (forms, passwords, cookies)
🛡️ Prevents eavesdropping & man-in-the-middle attacks
🔎 Displays the HTTPS padlock in browsers (trust signal)
🌍 Improves SEO and meets modern web standards

⚙️ Enable SSL Module in Apache

sudo a2enmod ssl
sudo systemctl restart apache2

This loads mod_ssl, allowing Apache to listen on port 443.

🌐 HTTPS Virtual Host Example (`*:443`)

<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /var/www/example

  SSLEngine on
  SSLCertificateFile    /etc/ssl/certs/example.crt
  SSLCertificateKeyFile /etc/ssl/private/example.key

  ErrorLog   ${APACHE_LOG_DIR}/ssl-error.log
  CustomLog  ${APACHE_LOG_DIR}/ssl-access.log combined
</VirtualHost>

🔄 Redirect HTTP ➜ HTTPS (Recommended)

<VirtualHost *:80>
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>

Ensures all traffic is encrypted—no HTTP version leaks.

🌍 Get a Free SSL Certificate (Let’s Encrypt + Certbot)

sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

Certbot automatically configures HTTPS and renews certificates every 60 days! 🎉

🧪 Strong TLS Settings (Hardening)

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          HIGH:!aNULL:!MD5
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

Disables old protocols (SSLv2/3, TLS1.0/1.1)
Enables secure ciphers only (no null or MD5)
Prioritizes server’s cipher choice
Turns off compression & session tickets (CRIME prevention)

🔐 Add HSTS Header — Enforce HTTPS Forever

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Enables HSTS, forcing browsers to always use HTTPS for 1 year
Supports subdomains and preload lists

Remember: Only add this in SSL vhost, not HTTP vhost!

🛠️ Disabling TLSv1.0/1.1 Only (if needed)

SSLProtocol +TLSv1.2 +TLSv1.3

Use nmap --script ssl-enum-ciphers -p 443 example.com to test supported protocols.

📝 Summary Table

Directive	Purpose
`SSLEngine on`	Enables HTTPS for the vhost
`SSLCertificateFile`, `Key`	Certificate and private key file paths
`SSLProtocol`	Specifies which TLS protocols to allow
`SSLCipherSuite`	Defines the allowed cipher algorithms
`SSLHonorCipherOrder`	Enforces server-side cipher preference
`SSLCompression off`	Disables compression (prevents CRIME)
`SSLSessionTickets off`	Disables session tickets (PFS protection)
`Strict-Transport-Security`	Enables HSTS for long-term HTTPS enforcement

🧠 Best Practices Tips

🔁 Always redirect HTTP to HTTPS
🤖 Use automated Certbot for renewals
🧹 Remove weak protocols (TLS < 1.2)
📆 Set HSTS headers only in secure contexts
🔍 Validate with SSL Labs (aim for A+ grade)

You're now equipped with a secure, modern Apache TLS setup! 🎯 Ready to tackle security.md or performance-tuning.md next?

💭 What is SSL/TLS?​

✅ Why Enable SSL/TLS?​

⚙️ Enable SSL Module in Apache​

🌐 HTTPS Virtual Host Example (*:443)​

🔄 Redirect HTTP ➜ HTTPS (Recommended)​

🌍 Get a Free SSL Certificate (Let’s Encrypt + Certbot)​

🧪 Strong TLS Settings (Hardening)​

🔐 Add HSTS Header — Enforce HTTPS Forever​

🛠️ Disabling TLSv1.0/1.1 Only (if needed)​

📝 Summary Table​

🧠 Best Practices Tips​