Atlantic.Net Blog

How to Set Up HTTP Strict Transport Security (HSTS) for Apache on Ubuntu 20.04

Hitesh Jethva
by Atlantic.Net (345 posts) under Dedicated Server Hosting, Tutorials
0 Comments

HTTP Strict Transport Security (HSTS) is a web security policy mechanism used for securing HTTPS websites against downgrade attacks. HSTS prevents your web browser from accessing the website over non-HTTPS connections.

After installing SSL, some websites contain pages that serve requests over HTTP. In that case, to avoid the usage of HTTP protocol HSTS header was introduced, it forces your website to redirect URL from HTTP to HTTPS.

In this post, we will show you how to enable HTTP Strict Transport Security (HSTS) for Apache on Ubuntu 20.04.

Prerequisites

  • A fresh Ubuntu 20.04 server on the Atlantic.Net Cloud Platform
  • A valid domain name pointed to your server
  • A root password configured on your server

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Install and Configure Apache

For the purpose of this tutorial, you will need to install the Apache webserver and create a virtual host configuration file to host a website.

First, install the Apache webserver with the following command:

apt-get install apache2 -y

Once the installation is completed, create a new apache virtual host configuration file for domain test.example.com.

nano /etc/apache2/sites-available/test.conf

Add the following lines:

<VirtualHost *:80>
   ServerName test.example.com
   ServerAdmin [email protected]
   DocumentRoot /var/www/html/
   DirectoryIndex index.html
</VirtualHost>

Save and close the file, then enable the virtual host with the following command:

a2ensite test.conf

Next, restart the Apache to apply the changes:

systemctl restart apache2

Step 3 – Secure Apache with Let’s Encrypt SSL

Next, you will need to install the Certbot client to secure your website with SSL. You can install the Certbot client for Apache with the following command:

apt-get install python3-certbot-apache -y

Once the installation is completed, run the following command to install Let’s Encrypt SSL for your website test.example.com.

certbot --apache -d test.example.com

You will be asked to provide your email and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/test-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/test-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/test-le-ssl.conf

Next, you will need to select whether or not to redirect HTTP traffic to HTTPS:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and hit Enter to finish the installation:

Redirecting vhost in /etc/apache2/sites-enabled/test.conf to ssl vhost in /etc/apache2/sites-available/test-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://test.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=test.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test.example.com/privkey.pem
   Your cert will expire on 2021-06-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

Your website test.example.com is now secured with Let’s Encrypt SSL.

Step 4 – Enable HSTS Header

Next, you will need to activate the HSTS header within your website virtual host configuration file.

Edit your website virtual host configuration file:

nano /etc/apache2/sites-enabled/test-le-ssl.conf

Add the following line below the first line:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Save and close the file then restart the Apache service to apply the changes.

systemctl restart apache2

Step 5 – Verify HSTS Header

At this point, your website is configured with HSTS header. Now you should verify whether the HSTS header is activated or not.

You can verify it with the following command:

curl -s -D- https://test.example.com/ | grep -i Strict

If everything is fine, you should get the following output:

Strict-Transport-Security: max-age=31536000; includeSubDomains

You can also verify it using the URL https://www.ssllabs.com/ssltest/index.html.

Conclusion

In the above guide, you learned how to enable HSTS header for Apache on Ubuntu 20.04. Your website is now secured with HSTS and it can be accessed only through HTTPS protocol. Try it on your dedicated server hosting account from Atlantic.Net.

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

How to Install Python 3.10 on Rocky Linux 8
How to Install TaskBoard on Rocky Linux 8
How to Set Up Pritunl VPN Server on Rocky Linux 8
How to Install Teampass Password Manager on Rocky Linux 8
How to Install and Configure RabbitMQ Server on Rocky Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources