HTTPS Support Notes

Prepare for SSL Certificate

  • sudo yum install python-certbot-apache

Get certificates from letsencrypt.com

  • certbot –apache -d {server}scoretility.com certonly

  • update /etc/httpd/sites-available/{server}scoretility.com.conf

<VirtualHost *:80>

ServerName {server}scoretility.com

Redirect permanent / https://{server}scoretility.com/

</VirtualHost>

<VirtualHost *:443>

ServerAdmin lking@pobox.com

ServerName {server}scoretility.com

[for production

ServerName www.scoretility.com

ServerAlias scoretility.com]

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/{server}scoretility.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/{server}scoretility.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/{server}scoretility.com/chain.pem

DocumentRoot /var/www/{server}scoretility.com/wordpress

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory /var/www/{server}scoretility.com/wordpress>

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

</Directory>

LogLevel warn

ErrorLog /var/www/{server}scoretility.com/logs/error.log

CustomLog /var/www/{server}scoretility.com/logs/requests.log combined

</VirtualHost>

  • sudo apachectl restart

Notes

http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/

https://managewp.com/wordpress-ssl-settings-and-how-to-resolve-mixed-content-warnings

mixed content - see https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content

browser cache - https://codex.wordpress.org/I_Make_Changes_and_Nothing_Happens

android trust - https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498/2

admin vs. apache user

Jason Scaroni suggested I have a non-privileged apache user for scoretility.com and sandbox.steeplechasers.org, and a privileged (non-root) admin

One possibility is to remove scoretility and sandboxsteeps from wheel group (i.e., no sudo for these users) and create lking user (e.g.) for both. lking is administrative user and would be put into wheel

Not sure but it might be a good idea to have separate ssh keys for scoretility, sandboxsteeps and loutilityadmin

For sandboxsteeps, need apache to be able to write into the document tree. Not so sure about scoretility, but I think not.

sandboxsteeps should be added to apache group, and default file create should be sandboxsteeps:apache

Notes

steps

  • sudo gpasswd -d sandboxsteeps wheel # no sudo for you, one year

  • sudo usermod -a -G apache sandboxsteeps # play nice with apache

  • sudo usermod -g apache sandboxsteeps # now apache is primary group

  • sudo usermod -a -G sandboxsteeps sandboxsteeps # add sandboxsteeps

    group

  • sudo chown -R apache:apache

    /var/www/sandbox.steeplechasers.org/wordpress/ # apache group for wordpress files

  • sudo chown -R sandboxsteeps:apache

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/themes/steeps # sandboxsteeps owner for steeps theme

  • sudo chmod -R 700 /var/www/sandbox.steeplechasers.org/wordpress/

  • sudo chmod -R g+r-x+X /var/www/sandbox.steeplechasers.org/wordpress/

  • sudo chmod -R g+w

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/plugins # apache needs write access for some directories

  • sudo chmod -R g+w

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/themes

  • sudo chmod -R g+w

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/upgrade

  • sudo chmod -R g+w

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/uploads

  • sudo chmod -R g+w

    /var/www/sandbox.steeplechasers.org/wordpress/wp-content/wflogs # wordfence plugin

  • sudo chown -R sandboxsteeps:sandboxsteeps /home/sandboxsteeps

  • sudo chmod -R g+s /home/sandboxsteeps

Security Tips