Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.
When we want https support for our websites we need to install mod_ssl.
# dnf install mod_ssl
The ssl.conf file is not how we need it with virtual hosts. We change it.
# cd /etc/httpd/conf.d/ # cp ssl.conf ../conf/vhssl.conf
The <VirtualHost _default_:443> section must be removed.
We set the SSL options in vhssl.conf and the vhosts.conf file.
# vi ssl.conf
The "SSLUseStapling" and "SSLStaplingCache" directives enable OCSP (Online Certificate Status Protocol) stapling, which is a method of checking the revocation status of SSL certificates without the need for a separate request to the certificate authority. This helps to improve performance by reducing the number of requests that need to be made.
Then add at the end:
# OCSP stapling SSLUseStapling on SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Now we remove every thing above the <VirtualHost _default_:443> line.
# cd ../conf/ # vi vhssl.conf
Locate the SSLProtocol key and change it to:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Locate the SSLCipherSuite key and change it to:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
The "SSLHonorCipherOrder" directive tells the server to use its own list of preferred ciphers, rather than relying on the client to specify them.
# Perfect Forward Secrecy(PFS) is frequently compromised without this SSLHonorCipherOrder on
The "SSLSessionTickets" directive is used to disable the use of SSL session tickets, which are used to resume SSL sessions and improve performance.
SSLSessionTickets off
The "SSLSessionCacheTimeout" and "SSLSessionCache" directives enable SSL session caching, which helps to improve performance by allowing the server to reuse previously established SSL sessions.
# Enable SSL session caching for improved performance SSLSessionCacheTimeout 300 SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
We have to add some directives in the <VirtualHost *:443> section.
# vi /etc/httpd/conf/vhosts.d/www.example.com SSLEngine on SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key SSLCertificateChainFile /etc/pki/tls/certs/example.com_ca-bundle.pem Include /etc/httpd/conf/vhssl.conf
CGI stands for Common Gateway Interface and is the pathway that your requests, scripts in this case, communicate with your hosting server. CGI programs interact with the Hypertext Transfer Protocol (HTTP) and with Hypertext Markup Language (HTML) in general. CGI acts as a pathway for information sharing between the server and the application. When you think about how the internet came to be, it's fitting that the process should mirror the scientist's desire to share information more conveniently.
CGI is an industry standard because it can be written in any language if it is in compliance with environmental restrictions, or the constraints and limitations imposed by the server environment in which the CGI script is executed. The "Bin" acts as it does in the physical world. Bins are used for storage and organization, so the CGI-Bin is a storage location on your server where executable programs are housed until needed. The programs in the CGI-Bin directory are called CGI scripts; these scripts generate dynamic webpages and provide added function and purpose to your webpages.
Using these scripts, you can process requests from visitors to your website, send data, manipulate images, generate forms, and more.
Add the code below in your vhosts.conf file if you want cgi-bin support for the website. This must also in the <VirtualHost *:443> section.
<Directory "/srv/www/vhosts/www.example.com/cgi-bin"> SSLOptions +StdEnvVars </Directory>
The selinux con for ...../cgi-bin is: unconfined_u:object_r:httpd_sys_script_exec_t:s0