Installing HTTPS and running python as a service on Ubuntu
- Install Apache/ WSGI Library
sudo apt-get update
sudo apt-get install apache2 libapache2-mod-wsgi-py3
sudo a2enmod wsgi
- Change Apache's listening ports
add a line in /etc/apache2/ports.conf under Listen 80 that states the port you'd like to listen on. For example to run a service on port 3000 add the line Listen 3000.
-
5 If there isn't an empty static and templates folder in the
Srcfolder make them here -
Create Apache Site
Use your favorite text editor to create the following /etc/apache2/sites-available/app.conf. The following should be entered into the file.
<VirtualHost *:{Port}>
ErrorLog /home/4F00/DevChloroplasts/error.log
LogLevel info
CustomLog /home/4F00/DevChloroplasts/access.log combined
Alias /static /home/4F00/DevChloroplasts/Src/static
<Directory /home/4F00/DevChloroplasts/Src/static>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
<Directory /home/4F00/DevChloroplasts>
<Files app.wsgi>
<RequireAll>
Require all granted
</RequireAll>
</Files>
</Directory>
WSGIDaemonProcess myproject python-path=/home/4F00/DevChloroplasts python-home=/home/4F00/DevChloroplasts/Src/env
WSGIProcessGroup myproject
WSGIScriptAlias / /home/4F00/DevChloroplasts/app.wsgi
</VirtualHost>
Replace /home/4F00/DevChloroplasts with where ever you are putting the processing code.
Then run sudo a2ensite app to have Apache enable the site.
- Cleanup
Make sure you give the user www-data permission to r/w/x to where you want to store the Results and Queue or else things will break.
Lastly restart Apache to start your service sudo service apache2 restart
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Create the public key and private key.
Create this file with this text /etc/apache2/conf-available/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLOptions +StrictRequire
modify your app.conf file to this
<IfModule mod_ssl.c>
<VirtualHost *:3000>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
#ServerAdmin admin@server.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog /home/4F00/DevChloroplasts/error.log
LogLevel info
CustomLog /home/4F00/DevChloroplasts/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
#Include /etc/apache2/conf-available/ssl-params.conf
#Include /etc/apache2/conf-available/options-ssl-apache.conf
ServerName 38.117.92.164
#ServerAlias Hook
Alias /static /home/4F00/DevChloroplasts/Src/static
<Directory /home/4F00/DevChloroplasts/Src/static>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
<Directory /home/4F00/DevChloroplasts>
<Files app.wsgi>
<RequireAll>
Require all granted
</RequireAll>
</Files>
</Directory>
WSGIDaemonProcess myproject python-path=/home/4F00/DevChloroplasts python-home=/home/4F00/DevChloroplasts/Src/env
WSGIProcessGroup myproject
WSGIScriptAlias / /home/4F00/DevChloroplasts/app.wsgi
</VirtualHost>
</IfModule>
Then run the following commands
sudo a2enmod ssl
sudo a2enmod headers
sudo a2enconf ssl-params
sudo systemctl restart apache2
Congrats on stopping them peeping toms from eaves dropping on your packets 👍 Just watch out for that MITM 
Oh and one last thing, the Certs expire 1 year from the day they're generated. So mark your calendars.
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache -d fqdn.com
This will crash saying there's a duplicate name issues. forget about it and continue.
Next up is to change the 000-default.conf in /etc/apache2/sites-available/
If anything about django is in there delete it and add the following.
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
then we have to add the lines for django into 000-default-le-ssl.conf in /etc/apache2/sites-available/
MAKE SURE THESE LINES AREN'T IN ANY OTHER CONF FILES
Alias /static /home/alireza/Website/static
<Directory /home/alireza/Website/static>
Require all granted
</Directory>
<Directory /home/alireza/Website/myproject>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess myproject python-path=/home/alireza/Website python-home=/home/alireza/Website/env
WSGIProcessGroup myproject
WSGIScriptAlias / /home/alireza/Website/myproject/wsgi.py
save and exit that file. Then run the commands
sudo certbot --apache -d fqdn.com
It'll ask if you want to reinstall it or renew the certs - enter 1 to reinstall the certs it'll then ask to enter an email address, enter an admin email address then enter 2 for forcing the Apache to redirect to a secure connection this should finish without throwing any errors
sudo service apach2 restart
This resets the apache server to add all the changes - should be error free and server running now
Following is optional but recommended as certs expire every 90 days
In terminal type sudo crontab -e
add the following line at the end of the file 15 3 * * * /usr/bin/certbot renew --quiet
this renews the cert and restarts apache if the cert is set to expire in the next month.