Update the Default Security List for the VCN
Follow this procedure to update the default security list for the VCN to allow necessary traffic.
Earlier you set up the subnet to use the VCN’s default security list. Now you add security list rules that allow the types of connections that the instances in the VCN will need.
Note – Some customers may wish to explicitly allow only the protocols/ports listed in Oracle Advanced Support Gateway Security Guide.
To update the default security list for the VCN, perform the following steps in the your new compartment:
- While viewing the VCN, under Resources, click Security Lists.Note – For more information, refer to the relevant OCI documentation here.
- Click the default security list to view its details. By default, you land on the Ingress Rules page.
- Click Add Ingress Rule.
- To enable inbound connections for HTTPS (TCP port 443), enter the following:Stateless: Unselected (this is a stateful rule.)Source Type: CIDR.Source CIDR: 0.0.0.0/0IP Protocol: TCPSource Port Range: AllDestination Port Range: 443
- Click Add Ingress Rule.
- Use the above steps to add a stateful ingress rule for any subnets with customer assets for the protocols/ports listed in Oracle Advanced Support Gateway Security Guide.
- Add a stateful ingress rule for Oracle’s Jumpgate Host for TCP Ports 22 and 443.
Update firewall settings.
https://docs.oracle.com/en-us/iaas/developer-tutorials/tutorials/wp-on-ubuntu/01-summary.htm
Next, update your iptables configuration to allow HTTP traffic. To update iptables, run the following commands.
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo netfilter-persistent save
The commands add a rule to allow HTTP traffic and saves the changes to the iptables configuration files.
Secure WordPress with Let’s Encrypt SSL
https://snapshooter.com/learn/guides/install-wordpress#secure-wordpress-with-lets-encrypt-ssl
It is always a good idea to secure your website with Let’s Encrypt SSL. First, you will need to install the Certbot client to install and manage the SSL. You can install it with the following command:
apt-get install python3-certbot-apache -y
Once the Certbot is installed, run the following command to secure your website with Let’s Encrypt SSL:
certbot --apache -d wordpress.example.com
You will be asked to provide your email and accept the term of service as shown below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wordpress.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/wordpress-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/wordpress-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/wordpress-le-ssl.conf
Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Type 2 and hit Enter to install the Let’s Encrypt SSL for your website:
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/wordpress.conf to ssl vhost in /etc/apache2/sites-available/wordpress-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://wordpress.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=wordpress.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wordpress.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wordpress.example.com/privkey.pem
Your cert will expire on 2021-02-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now, you can access your WordPress website securely using the URL https://wordpress.example.com.
RENEWING SSL CERTIFICATES FOR APACHE
https://absolutecommerce.co.uk/blog/auto-renew-letsencrypt-apache-certbot
To renew certificates at any time, you may run the following command:
sudo certbot renew --apache
This will take you through the manual steps of renewal. LetsEncrypt will only allow renewal when the certificate is within 30 days of expiry. Once renewed the new certificate will be valid for 90 days from the date of renewal.
Renewing the certificate in this manner will not require you to stop and start Apache so that the config is reloaded on a successful renewal allowing visitors to the site to automatically be served the new certificate.
AUTOMATING THE SSL CERTIFICATE RENEWAL FOR APACHE
Finally, the most important step of this process, is to allow the certificate to auto renew, so that you as a server admin or not don’t have to log in to the server to renew all your certs.
The renewal is run by cron. You should find a cronfile that was automatically added on installation to /etc/cron.d/certbot. If the file is not there you can create it.
Update the content of the cron file as follows:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root certbot -q renew --apache
This will run the renew process twice daily, exactly as above when you ran it manually. The -q flag is provided to prevent any output being logged.
So there you have it, auto renewing LetsEncrypt certificates running on Apache.