How to Add Port 80 and 443 for Apache on CentOS

Ensuring that port 80 (HTTP) and port 443 (HTTPS) are open and properly configured is essential for serving web traffic securely and efficiently. On CentOS, this involves configuring both the Apache web server and the system’s firewall to allow incoming connections on these ports. This guide will walk you through the necessary steps to add and secure ports 80 and 443 for Apache on a CentOS system.

Prerequisites

Before proceeding, ensure you have the following:

• CentOS System: This guide is applicable to CentOS 7 and CentOS 8. Adapt commands accordingly if using a different version.
• Root or Sudo Access: Administrative privileges are required to install packages and modify firewall settings.
• Basic Terminal Knowledge: Familiarity with command-line operations.
• Domain Name (Optional): If you plan to configure HTTPS with a valid SSL certificate.

Step 1: Install Apache

First, install the Apache web server (httpd) if it’s not already installed.

1. Update the Package Repository:

   sudo yum update -y
   

2. Install Apache:

   sudo yum install httpd -y
   

3. Install Mod_SSL (for HTTPS):Mod_SSL is an Apache module that provides support for SSL/TLS.

   sudo yum install mod_ssl -y
   

Step 2: Configure Apache to Listen on Ports 80 and 443

By default, Apache is configured to listen on port 80 for HTTP and port 443 for HTTPS. However, it’s good practice to verify these settings.

1. Open the Apache Configuration File:

   sudo nano /etc/httpd/conf/httpd.conf
   

2. Ensure Apache Listens on Port 80:Look for the Listen directive and confirm it includes port 80.

   Listen 80
   

3. Verify SSL Virtual Host Configuration:The SSL configurations are typically found in a separate file.

   sudo nano /etc/httpd/conf.d/ssl.conf
   

   Ensure it contains the following line to listen on port 443:

   Listen 443 https
   

   Additionally, check the <VirtualHost> block to confirm it’s set to listen on _:443.

4. Save and Exit:
   • Press CTRL + O to save.
   • Press Enter to confirm.
   • Press CTRL + X to exit the editor.

Step 3: Adjust Firewall Settings

To allow incoming traffic on ports 80 and 443, configure the system’s firewall accordingly. CentOS uses Firewalld by default (on CentOS 7 and later). If you’re using an older version or have replaced Firewalld with Iptables, follow the relevant section below.

Using Firewalld

1. Check Firewalld Status:

   sudo systemctl status firewalld
   

   Ensure that Firewalld is active and running. If it’s not active, start and enable it:

   sudo systemctl start firewalld
   sudo systemctl enable firewalld
   

2. Allow HTTP (Port 80) and HTTPS (Port 443) Services:Firewalld categorizes services, allowing you to manage them easily.

   sudo firewall-cmd --permanent --add-service=http
   sudo firewall-cmd --permanent --add-service=https
   

3. Reload Firewalld to Apply Changes:

   sudo firewall-cmd --reload
   

4. Verify the Open Ports:

   sudo firewall-cmd --list-services
   

   Expected Output:

   dhcpv6-client ssh http https
   

   This indicates that services http and https are allowed through the firewall.

Using Iptables (If Applicable)

Note: CentOS 7 and later versions primarily use Firewalld. If you’ve disabled Firewalld and are using Iptables instead, follow these steps.

1. Allow Traffic on Port 80 (HTTP):

   sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
   

2. Allow Traffic on Port 443 (HTTPS):

   sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
   

3. Save the Iptables Rules:

   sudo service iptables save
   

4. Restart Iptables Service:

   sudo systemctl restart iptables
   

5. Verify the Open Ports:

   sudo iptables -L -n
   

   Look for rules that accept traffic on ports 80 and 443.

Step 4: Enable and Start Apache Service

After installing and configuring Apache, enable and start the service to ensure it runs correctly.

1. Enable Apache to Start on Boot:

   sudo systemctl enable httpd
   

2. Start Apache Service:

   sudo systemctl start httpd
   

3. Check Apache Status:

   sudo systemctl status httpd
   

   Expected Output:

   ● httpd.service - The Apache HTTP Server
      Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
      Active: active (running) since [Date & Time]
      ...
   

   Ensure that the service is active (running) without any errors.

Step 5: Verify Apache is Listening on Ports 80 and 443

Ensure that Apache is correctly listening for incoming connections on the designated ports.

1. Use ss or netstat to Check Listening Ports:
   • Using ss:

     sudo ss -tuln | grep -E '80|443'
     

   • Using netstat:

     sudo yum install net-tools -y  # Install net-tools if not present
     sudo netstat -tuln | grep -E '80|443'
     

   Expected Output:

   LISTEN 0      128    0.0.0.0:80       0.0.0.0:*     
   LISTEN 0      128    0.0.0.0:443      0.0.0.0:*     
   

   This indicates that Apache is listening on both ports 80 and 443 for all IPv4 interfaces. If you also need IPv6 support, check for :::80 and :::443.

Step 6: Configure SSL for HTTPS (Optional but Recommended)

Securing your website with SSL is crucial for encrypting data and enhancing user trust. Let’s Encrypt provides free SSL certificates, which can be easily integrated with Apache.

Installing Certbot and Obtaining an SSL Certificate

1. Install EPEL Repository (if not already installed):

   sudo yum install epel-release -y
   

2. Install Certbot for Apache:

   sudo yum install certbot python2-certbot-apache -y
   

   Note: For newer CentOS versions or if Python3 is preferred, use python3-certbot-apache instead.

3. Obtain and Install the SSL Certificate:

   sudo certbot --apache
   

4. Follow the On-Screen Prompts:
   • Enter Your Email Address: For urgent notices and lost key recovery.
   • Agree to Terms of Service: Type A to agree.
   • Share Email: Optionally, share your email with the Electronic Frontier Foundation.
   • Select Domains: Choose the domains you want to secure (e.g., example.com and www.example.com).
   • Redirect HTTP to HTTPS: Choose to redirect all traffic to HTTPS for improved security.
5. Verify SSL Installation:After completion, visit your Website using https://yourdomain.com to ensure the SSL certificate is active and the site is secure.

Automating Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, but Certbot sets up automatic renewals.

1. Test Automatic Renewal:

   sudo certbot renew --dry-run
   

   Ensure there are no errors in the output.

2. Ensure Certbot’s Timer is Active (CentOS 7 and Later):

   sudo systemctl list-timers | grep certbot
   

   Expected Output:

   Wed 2023-04-05 03:47:00 UTC  certbot.timer              certbot.service             Mon 1970-01-01 00:00:00 UTC 
   

   If the timer isn’t active, enable it:

   sudo systemctl enable certbot.timer
   sudo systemctl start certbot.timer
   

Step 7: Test Your Configuration

Ensure that both HTTP and HTTPS are working correctly.

1. Access Your Website via HTTP:Open a web browser and navigate to http://yourdomain.com. If you didn’t set up a redirect, the site should load over HTTP.
2. Access Your Website via HTTPS:Navigate to https://yourdomain.com. You should see the secure lock icon indicating a valid SSL certificate.
3. Check Redirect (If Configured):If you set up HTTP to HTTPS redirection, accessing http://yourdomain.com should automatically redirect to https://yourdomain.com.
4. Use SSL Testing Tools:Utilize online tools to verify your SSL setup.
   • SSL Labs’ SSL Test
   • Why No Padlock?

   Enter your domain to receive a detailed report on your SSL configuration.

Troubleshooting

Issue 1: Firewall Not Allowing Traffic on Ports 80 and 443

Symptoms:

• Unable to access the website via HTTP or HTTPS.
• Connection timeout or refused errors.

Solutions:

1. Verify Firewall Rules:

   sudo firewall-cmd --list-all
   

   Ensure that http and https services are listed under services.

2. Reapply Firewall Rules:If necessary, re-add the services:

   sudo firewall-cmd --permanent --add-service=http
   sudo firewall-cmd --permanent --add-service=https
   sudo firewall-cmd --reload
   

3. Check Port Listening:Verify that Apache is listening on the required ports (Refer to Step 5).
4. Restart Firewall and Apache:

   sudo systemctl restart firewalld
   sudo systemctl restart httpd
   

Issue 2: Apache Not Serving HTTPS

Symptoms:

• Accessing https://yourdomain.com returns an error.
• SSL certificate not found or invalid.

Solutions:

1. Ensure SSL Module is Enabled:Verify that mod_ssl is installed and enabled (Refer to Step 1).
2. Check SSL Configuration:

   sudo apachectl configtest
   

   Ensure there are no syntax errors in your Apache configuration.

3. Verify Certificate Paths:Check that the paths to your SSL certificates in /etc/httpd/conf.d/ssl.conf or your site-specific configuration files are correct.
4. Renew SSL Certificate:If using Let’s Encrypt, ensure the certificate is valid. Renew if necessary:

   sudo certbot renew
   

5. Restart Apache:

   sudo systemctl restart httpd
   

Issue 3: Unable to Obtain SSL Certificate with Certbot

Possible Causes:

• DNS records not pointing correctly to your server.
• Firewall blocking Let’s Encrypt’s validation requests.
• Apache misconfiguration.

Solutions:

1. Verify DNS Settings:Ensure that your domain’s A record points to your server’s correct public IP address.
2. Check Firewall for HTTP Access:Ensure that port 80 is open and accessible.
3. Ensure Apache is Properly Configured:Make sure Apache is running and serving the correct site configuration.
4. Review Certbot Logs:Check /var/log/letsencrypt/ for detailed error messages.
5. Run Certbot Again with Verbose Output:

   sudo certbot --apache -v
   

   Inspect the output for specific errors and address them accordingly.

Best Practices

1. Use Strong Passwords:Ensure that all user accounts, especially those with administrative privileges, use strong, unique passwords.
2. Keep Software Updated:Regularly update Apache, CentOS, and all related packages to benefit from security patches and improvements.

   sudo yum update -y
   

3. Implement Security Modules:Use Apache security modules like mod_security and mod_evasive to protect against common web threats.
4. Limit User Privileges:Run Apache under a dedicated user with minimal privileges to reduce security risks.
5. Regularly Backup Configurations:Backup Apache configuration files and SSL certificates to recover quickly in case of system failures.
6. Monitor Server Logs:Regularly review Apache and firewall logs to detect and respond to suspicious activities promptly.

Frequently Asked Questions (FAQ)

1. Why Should I Use Ports 80 and 443 for Apache?

Answer: Ports 80 and 443 are the standard ports for HTTP and HTTPS traffic, respectively. Using these ports ensures compatibility with browsers and enables encrypted communication, which is essential for securing data transmission.

2. Can I Change the Default Ports for Apache?

Answer: Yes. While ports 80 and 443 are standard, you can configure Apache to listen on different ports. However, this requires updating firewall rules accordingly and specifying the port in your URLs when accessing the site (e.g., http://example.com:8080).

3. How Do I Redirect HTTP Traffic to HTTPS in Apache?

Answer:

1. Open the Apache Configuration File for Your Site:

   sudo nano /etc/httpd/sites-available/your-site.conf
   

2. Add Redirect Rules:

   <VirtualHost *:80>
       ServerName yourdomain.com
       ServerAlias www.yourdomain.com
       Redirect permanent / https://yourdomain.com/
   </VirtualHost>
   

3. Save and Exit:
   • Press CTRL + O to save.
   • Press Enter to confirm.
   • Press CTRL + X to exit.
4. Restart Apache:

   sudo systemctl restart httpd
   

   This configuration permanently redirects all HTTP traffic to HTTPS, enhancing security.

4. How Can I Check If Ports 80 and 443 Are Open?

Answer:

• Using ss:

  sudo ss -tuln | grep -E '80|443'
  

• Using netstat:

  sudo yum install net-tools -y  # Install net-tools if not present
  sudo netstat -tuln | grep -E '80|443'
  

• Using nmap (from another machine):

  nmap -p 80,443 yourdomain.com
  

  Ensure that the output indicates the ports are open.

5. Do I Need an SSL Certificate for HTTPS?

Answer: Yes. An SSL certificate is required to enable HTTPS, encrypt data transmission, and establish trust with users. Let’s Encrypt offers free SSL certificates that are easy to obtain and renew.

6. What If I Receive an SSL Error in the Browser?

Answer:

1. Ensure SSL Certificate is Properly Installed:
   • Verify the certificate paths in Apache configuration.
   • Check for any missing intermediate certificates.
2. Check Certificate Expiry:

   sudo certbot certificates
   

   Renew if expired:

   sudo certbot renew
   

3. Clear Browser Cache:
   • Sometimes, browsers cache SSL certificate information. Clearing cache may resolve display issues.
4. Use SSL Testing Tools:
   • Utilize tools like SSL Labs’ SSL Test to identify specific SSL configuration issues.

7. Can I Host Multiple Websites on the Same Server with Apache?

Answer: Yes. Apache supports Virtual Hosts, allowing you to host multiple websites on the same server, each with its own domain and configuration.

8. How Do I Secure Apache Beyond SSL?

Answer:

• Disable Unnecessary Modules: Reduce potential attack surfaces by disabling unused Apache modules.

  sudo yum remove --disabled httpd-modules
  

• Implement Security Headers: Add headers like Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options to enhance security.
• Enable Firewalld Services: Use Firewalld’s predefined profiles for Apache to manage access.

9. Is It Necessary to Restart Apache After Every Configuration Change?

Answer: Yes. After making changes to Apache’s configuration files, restarting or reloading the Apache service is essential to apply the changes.

• Restart Apache:

  sudo systemctl restart httpd
  

• Reload Apache (for less disruptive updates):

  sudo systemctl reload httpd
  

10. What Should I Do If I Forget My SSL Certificate’s Private Key?

Answer:

1. Revoke the Certificate:

   sudo certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.com/cert.pem
   

2. Delete the Existing Certificate:

   sudo certbot delete
   

3. Obtain a New Certificate:

   sudo certbot --apache
   

Conclusion

Securing your Apache server by properly configuring ports 80 and 443 is fundamental for serving web traffic and safeguarding data through HTTPS. By following this guide, you’ve successfully installed Apache, configured it to listen on the standard HTTP and HTTPS ports, adjusted firewall settings to allow necessary traffic, and optionally secured your site with an SSL certificate from Let’s Encrypt.

Key Takeaways:

• Standard Ports: Ports 80 and 443 are essential for HTTP and HTTPS traffic, respectively.
• Firewall Configuration: Properly configure Firewalld or Iptables to allow traffic on these ports.
• SSL Encryption: Implementing SSL ensures secure data transmission and enhances user trust.
• Regular Maintenance: Keep your server and Apache configurations updated to maintain security and performance.

By adhering to best practices and regularly monitoring your server’s security, you can provide a safe and reliable experience for your website visitors.

Next Steps:

• Explore advanced Apache configurations such as Virtual Hosts for hosting multiple websites.
• Implement additional security measures like SSH hardening and Intrusion Detection Systems.
• Optimize Apache performance with modules like mod_deflate and mod_expires for better load times and user experience.