How to setup HTTP Strict Transport Security (HSTS) for Apache on Oracle Linux 8

HSTS, which stands for “HTTP Strict Transport Security,” is a web security policy mechanism that can be used to secure HTTPS websites against downgrade attacks. HSTS prevents your web browser from accessing the website over non-HTTPS connections.

Some websites contain pages that serve requests over HTTP. To avoid the usage of HTTP protocol in such cases, the HSTS header was introduced. It forces your website to redirect URLs from HTTP to HTTPS.

In this post, we will explain how to enable HTTP Strict Transport Security (HSTS) for Apache on Oracle Linux 8.

Prerequisites

• A fresh Oracle Linux 8 server
• A valid domain name pointed with your server
• A root password configured on your server

Step 1 – Install and Configure Apache

Before starting, you will need to install the Apache web server and create a virtual host configuration file to host a website.

First, install the Apache web server with the following command:

dnf install httpd -y

Once the installation is completed, start and enable the Apache service:

systemctl start httpd
systemctl enable httpd

Next, create a new apache virtual host configuration file for domain test.linuxbuz.com.

nano /etc/httpd/conf.d/test.conf

Add the following configurations:

<VirtualHost *:80>
   ServerName test.linuxbuz.com
   ServerAdmin [email protected]
   DocumentRoot /var/www/html/
   DirectoryIndex index.html
</VirtualHost>

Save and close the file, then restart Apache to apply the changes:

systemctl restart httpd

Step 2 – Secure Apache with Let’s Encrypt SSL

Next, you will need to install the Certbot client to secure your website with SSL. You can install the Certbot client for Apache with the following command:

dnf install epel-release -y
dnf install certbot python3-certbot-apache -y

Once the installation is completed, run the following command to generate self-signed certificates:

/usr/libexec/httpd-ssl-gencerts

Next, run the following command to install Let’s Encrypt SSL for your website test.linuxbuz.com.

certbot --apache -d test.linuxbuz.com

You will be asked to provide your email and accept the terms of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for test.linuxbuz.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.linuxbuz.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.linuxbuz.com/privkey.pem
This certificate expires on 2022-11-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for test.linuxbuz.com to /etc/httpd/conf.d/test-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://test.linuxbuz.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your website test.linuxbuz.com is now secured with Let’s Encrypt SSL.

Step 3 – Enable HSTS Header

Next, you will need to activate the HSTS header within your website virtual host configuration file.

To do so, open your website virtual host configuration file:

nano /etc/httpd/conf.d/test-le-ssl.conf

Add the following line below the first line:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Save and close the file, then restart the Apache service to apply the changes.

systemctl restart httpd

Step 4 – Verify HSTS Header

Your website is now configured with HSTS header. Next, you will need to verify whether the HSTS header is activated or not.

You can verify it with the following command:

curl -s -D- https://test.linuxbuz.com/ | grep -i Strict

If everything is fine, you should get the following output:

Strict-Transport-Security: max-age=31536000; includeSubDomains

You can also verify it using the URL https://www.ssllabs.com/ssltest/index.html.

Conclusion

In the above tutorial, we explained how to enable the HSTS header for Apache on Oracle Linux 8. Your website is now secured with HSTS, and it can be accessed only through HTTPS protocol. Give HSTS a try on VPS hosting from Atlantic.Net!