====== Onboarding einer neuen Website mit eigenem DNS-Eintrag ======
Abkürzungen:
* sub.domain.tld = DNS-Eintrag
* IPv4 = IPv4-Adresse des Servers der Webseite
* IPv6 = IPv6-Adresse des Servers der Webseite
===== DNS-Eintrag erstellen =====
CNAME generieren, der auf die Maschine zeigt, auf der die Webseite liegen soll.
===== Verzeichnisse anlegen =====
mkdir /srv/www/sub.domain.tld
mkdir /var/log/httpd/sub.domain.tld
===== Vorbereitung Let's encrypt =====
vim /etc/httpd/conf.d/sub.domain.tld.conf
ServerName sub.domain.tld
DocumentRoot /srv/www/sub.domain.tld
ErrorLog /var/log/httpd/sub.domain.tld/error.log
CustomLog /var/log/httpd/sub.domain.tld/access.log combined
Order allow,deny
Allow from all
Require all granted
Options Indexes
AllowOverride all
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^$
# RewriteRule ^/(.*) https://sub.domain.tld/$1 [L,R]
apachectl configtest
apachectl graceful
===== Konfiguration ACMEfetch =====
vim /opt/acmefetch/etc/sub.domain.tld.cfg
{
"GENERAL": {
"ACMEstaging": "acme-staging.api.letsencrypt.org",
"ACMEservice": "acme-v01.api.letsencrypt.org",
"accountKeyPath": "/etc/letsencrypt/ddeimeke.key"
},
"CERTS": [
{
"certOutput": "/etc/letsencrypt/sub.domain.tld.crt",
"certFormat": "PEM",
"keyOutput": "/etc/letsencrypt/sub.domain.tld.key",
"keyFormat": "PEM",
"chainOutput": "/etc/letsencrypt/chain.crt",
"chainFormat": "PEM",
"commonName": "sub.domain.tld",
"SITES": {
"sub.domain.tld": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/srv/www/sub.domain.tld/",
}
}
}
}
]
}
/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/sub.domain.tld.cfg
===== Redirect von http auf https =====
vim /etc/httpd/conf.d/sub.domain.tld.conf
ServerName sub.domain.tld
# DocumentRoot /srv/www/sub.domain.tld
# ErrorLog /var/log/httpd/sub.domain.tld/error.log
# CustomLog /var/log/httpd/sub.domain.tld/access.log combined
#
# Order allow,deny
# Allow from all
# Require all granted
# Options Indexes
# AllowOverride all
#
RewriteEngine on
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://sub.domain.tld/$1 [L,R]
===== SSL-Konfiguration Apache =====
vim /etc/httpd/conf.d/00-sub.domain.tld.conf
ServerName sub.domain.tld
ServerAdmin dirk.deimeke@myown-it.com
DocumentRoot /srv/www/sub.domain.tld
Order deny,allow
Deny from all
Require all denied
ErrorLog /var/log/httpd/sub.domain.tld/error.log
CustomLog /var/log/httpd/sub.domain.tld/access.log combined
RewriteEngine On
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
Header add Strict-Transport-Security "max-age=15768000"
SSLCertificateFile /etc/letsencrypt/sub.domain.tld.crt
SSLCertificateKeyFile /etc/letsencrypt/sub.domain.tld.key
SSLCertificateChainFile /etc/letsencrypt/chain.crt
ExpiresActive on ExpiresDefault "access plus 1 week"
Order allow,deny
Allow from all
Require all granted
Options Indexes FollowSymLinks
AllowOverride all
apachectl configtest
apachectl graceful