Redirect all traffic to secure https 

We recommend always using secure for web traffic, and that you redirect all http traffic to https.

We also suggest using HSTS (HTTP Strict Transport Security) to train visiting web browsers to use https immediately on future visits.

Ensure Apache had SSL enabled

If Apache is not already running SSL for other sites, you will need to do:

sudo a2enmod ssl

and then:

sudo systemctl restart apache2.service


Prepare an SSL certificate

You will need to make an SSL certificate. You may already have one for your domain, you may purchase one commercially, or you can use a free service such as Certbot.

To install Certbot on Ubuntu:

sudo apt update
sudo apt install certbot

You will be prompted to agree to the terms, and to subscribe for updates.

Create an SSL certificate for your domain name, in this example let's imagine it's called

$ sudo systemctl stop apache2.service 
$ sudo certbot certonly -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

- Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2021-12-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          
$ sudo systemctl start apache2.service

The above example shows us stopping Apache before running certbot and then restarting it, to avoid Certbot failing with "Problem binding to port 80: Could not bind to IPv4 or IPv6."; you may find this is not necessary on your server.

Note that there must be a DNS "A" record pointing to your server before you start the process above.

Make an https Apache virtual host

Create an Apache virtual host file, for example called /etc/apache2/sites-available/zenariosite.conf, with these contents:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        ErrorLog ${APACHE_LOG_DIR}/zenariosite-error.log
        CustomLog ${APACHE_LOG_DIR}/zenarsite-access.log combined

        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/
        SSLCertificateKeyFile /etc/letsencrypt/live/

        DocumentRoot /var/www/clients/zenariosite/public_html
        <Directory /var/www/clients/zenariosite/public_html/>
                Options +FollowSymLinks +MultiViews -Indexes
                AllowOverride All
                Order allow,deny
                allow from all

<VirtualHost *:80>

        RewriteEngine On
        RewriteRule ^{REQUEST_URI} [END,NE,R=permanent]

The first VirtualHost section above defines how https requests are handled; make sure that the path to the SSL key and certificate files are correct. If you don't use certbot, make sure the private key file has root ownership and root-readable permissions only (e.g. chmod 400).

The line beginning Header tells browsers to use HSTS and remember to use https.

Check also that the DocumentRoot and Directory point accurately to the home directory of your Zenario installation, public_html in this example.

The second VirtualHost section above redirects all http traffic from the main domain, the www subdomain, and other domains, to the https site, and appends any request (e.g. page name) to the redirect.

Note that further options are possible, such as restricting SSL protocols and SSL cipher suites, but are not covered here.

Switch the vhost

Now disable the old virtual host, enable the new one, and reload Apache:

$ sudo a2dissite zenariosite-http.conf 
Site zenariosite-http disabled.
To activate the new configuration, you need to run:
  systemctl reload apache2
$ sudo a2ensite zenariosite.conf
Enabling site zenariosite.
To activate the new configuration, you need to run:
  systemctl reload apache2
$ sudo systemctl reload apache2.service

You should now be able to point your browser at your https URL, and be directed there automatically from any http domains listed in the configuration.