Onboarding einer neuen Website mit eigenem DNS-Eintrag
Abkürzungen:
- sub.domain.tld = DNS-Eintrag
- IPv4 = IPv4-Adresse des Servers der Webseite
- IPv6 = IPv6-Adresse des Servers der Webseite
DNS-Eintrag erstellen
CNAME generieren, der auf die Maschine zeigt, auf der die Webseite liegen soll.
Verzeichnisse anlegen
mkdir /srv/www/sub.domain.tld mkdir /var/log/httpd/sub.domain.tld
Vorbereitung Let's encrypt
vim /etc/httpd/conf.d/sub.domain.tld.conf
<VirtualHost IPv4:80 [IPv6]:80>
ServerName sub.domain.tld
DocumentRoot /srv/www/sub.domain.tld
ErrorLog /var/log/httpd/sub.domain.tld/error.log
CustomLog /var/log/httpd/sub.domain.tld/access.log combined
<Directory /srv/www/sub.domain.tld>
Order allow,deny
Allow from all
Require all granted
Options Indexes
AllowOverride all
</Directory>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^$
# RewriteRule ^/(.*) https://sub.domain.tld/$1 [L,R]
</VirtualHost>
apachectl configtest apachectl graceful
Konfiguration ACMEfetch
vim /opt/acmefetch/etc/sub.domain.tld.cfg
{
"GENERAL": {
"ACMEstaging": "acme-staging.api.letsencrypt.org",
"ACMEservice": "acme-v01.api.letsencrypt.org",
"accountKeyPath": "/etc/letsencrypt/ddeimeke.key"
},
"CERTS": [
{
"certOutput": "/etc/letsencrypt/sub.domain.tld.crt",
"certFormat": "PEM",
"keyOutput": "/etc/letsencrypt/sub.domain.tld.key",
"keyFormat": "PEM",
"chainOutput": "/etc/letsencrypt/chain.crt",
"chainFormat": "PEM",
"commonName": "sub.domain.tld",
"SITES": {
"sub.domain.tld": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/srv/www/sub.domain.tld/",
}
}
}
}
]
}
/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/sub.domain.tld.cfg
Redirect von http auf https
vim /etc/httpd/conf.d/sub.domain.tld.conf
<VirtualHost IPv4:80 [IPv6]:80>
ServerName sub.domain.tld
# DocumentRoot /srv/www/sub.domain.tld
# ErrorLog /var/log/httpd/sub.domain.tld/error.log
# CustomLog /var/log/httpd/sub.domain.tld/access.log combined
# <Directory /srv/www/sub.domain.tld>
# Order allow,deny
# Allow from all
# Require all granted
# Options Indexes
# AllowOverride all
# </Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) https://sub.domain.tld/$1 [L,R]
</VirtualHost>
SSL-Konfiguration Apache
vim /etc/httpd/conf.d/00-sub.domain.tld.conf
<VirtualHost IPv4:443 [IPv6]:443>
ServerName sub.domain.tld
ServerAdmin dirk.deimeke@myown-it.com
DocumentRoot /srv/www/sub.domain.tld
<Directory /srv/www/sub.domain.tld/.git>
Order deny,allow
Deny from all
Require all denied
</Directory>
ErrorLog /var/log/httpd/sub.domain.tld/error.log
CustomLog /var/log/httpd/sub.domain.tld/access.log combined
RewriteEngine On
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
Header add Strict-Transport-Security "max-age=15768000"
SSLCertificateFile /etc/letsencrypt/sub.domain.tld.crt
SSLCertificateKeyFile /etc/letsencrypt/sub.domain.tld.key
SSLCertificateChainFile /etc/letsencrypt/chain.crt
ExpiresActive on ExpiresDefault "access plus 1 week"
<Directory /srv/www/sub.domain.tld>
Order allow,deny
Allow from all
Require all granted
Options Indexes FollowSymLinks
AllowOverride all
</Directory>
</VirtualHost>
apachectl configtest apachectl graceful