Apache

From Linux User Group at WUR
Jump to: navigation, search

Apache Hardening

Here are some general settings for hardening an Apache server, and their rationales.

Directive and setting Description/rationale
Uncomment LoadModule info_module modules/mod_info.so gives out too much information about your web server to potential attackers.
Uncomment LoadModule status_module modules/mod_status.so gives out server stats via web pages
Uncomment LoadModule userdir_module modules/mod_userdir.so translates URLs to user-specific directories
Uncomment LoadModule autoindex_module modules/mod_autoindex.so provides directory listings when no index.html file is present
AddIcon (remove)
AddIconByEncoding (remove)
AddIconByType (remove)
DefaultIcon (remove)
IndexOptions (remove)
AddDescription (remove)
ReadmeName (remove)
HeaderName (remove)
IndexIgnore (remove)
Remove all references to these directives, since we disabled the fancy indexing module.
/manual Remove manual pages
/icons Remove icons
ServerSignature Off Prevents server from giving version info on error pages.
ServerTokens Prod Prevents server from giving version info in HTTP headers
TraceEnable Off TraceEnable off causes the core server and mod_proxy to return a 405 FORBIDDEN error to the client.
UserDir disabled root the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files.
FileETag MTime Size Disable inode-based ETag generation in the Apache config.
You can remove inode information from the ETag header by adding this directive to your Apache config.

SSL

In order to configure SSL to be the most safe and secure, you need to make some asdustments to the Apache defaults.

The quickest way to do this is to go here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ and generate some defaults for the current environment - this document may get out of date related to cipher suites designated as insecure.

For WUR managed servers, we do this centrally through Puppet, which enables our users to not have to worry about this step. But here are some example secure configs:

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2  and SSLv3 access by default:
SSLProtocol all -SSLv2 -SSLv3
 
#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 
# HSTS
# Do not allow unsecure connections to this site for the next 180 days (browser instruction)
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"

The following example is more secure, but less compatible, as it only allows TLS 1.2. This breaks compatiblity with old browsers such as Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, and Android 2.3. Java 7 also fails with this config:

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2  and SSLv3 access by default:
SSLProtocol all -SSLv2 -SSLv3
 
#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 
# HSTS
# Do not allow unsecure connections to this site for the next 180 days (browser instruction)
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"

Server Name Indication

Example configuration:

<VirtualHost *:80>
    ServerName omnis.wur.nl
    # Port 80 redirected to port 443
    Redirect permanent / https://omnis.wur.nl/
</VirtualHost>
 
<VirtualHost *:443>
    ServerName omnis.wur.nl
    ServerAlias omnis
 
    SSLCertificateFile "/etc/httpd/conf.d/keys/omnis.crt"
    SSLCertificateKeyFile "/etc/httpd/conf.d/keys/omnis.key"
    SSLCertificateChainFile "/etc/httpd/conf.d/keys/CACert.crt"
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 
    DocumentRoot /var/www/
 
    ErrorLog     /var/log/httpd/omnis-error.log
    CustomLog    /var/log/httpd/omnis-access.log combined
 
    ServerSignature Off
</VirtualHost>