Difference between revisions of "Apache"
Jump to navigation
Jump to search
(Created page with "Dit document beschrijft hoe we na een standaard install van apache op een RHEL server. Apache verder af configureren zodat het wat gehardend is. {| class="wikitable" !Dire...") |
|||
| Line 1: | Line 1: | ||
| − | + | = Apache Hardening = | |
| − | + | Here are some general settings for hardening an Apache server, and their rationales. | |
| − | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 43: | Line 42: | ||
|Disable inode-based ETag generation in the Apache config.<br>You can remove inode information from the ETag header by adding this directive to your Apache config. | |Disable inode-based ETag generation in the Apache config.<br>You can remove inode information from the ETag header by adding this directive to your Apache config. | ||
|} | |} | ||
| + | |||
| + | = SSL = | ||
| + | |||
| + | In order to configure SSL to be the most safe and secure, you need to make some asdustments to the Apache defaults. | ||
| + | |||
| + | The quickest way to do this is to go here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ and generate some defaults for the current environment - this document may get out of date related to cipher suites designated as insecure. | ||
| + | |||
| + | For WUR managed servers, we do this centrally through Puppet, which enables our users to not have to worry about this step. But here are some example secure configs: | ||
| + | |||
| + | <nowiki># SSL Protocol support: | ||
| + | # List the enable protocol levels with which clients will be able to | ||
| + | # connect. Disable SSLv2 and SSLv3 access by default: | ||
| + | SSLProtocol all -SSLv2 -SSLv3 | ||
| + | |||
| + | # SSL Cipher Suite: | ||
| + | # List the ciphers that the client is permitted to negotiate. | ||
| + | # See the mod_ssl documentation for a complete list. | ||
| + | SSLHonorCipherOrder On | ||
| + | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | ||
| + | |||
| + | # HSTS | ||
| + | # Do not allow unsecure connections to this site for the next 180 days (browser instruction) | ||
| + | Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"</nowiki> | ||
| + | |||
| + | The following example is more secure, but less compatible, as it only allows TLS 1.2. This breaks compatiblity with old browsers such as Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, and Android 2.3. Java 7 also fails with this config: | ||
| + | |||
| + | <nowiki># SSL Protocol support: | ||
| + | # List the enable protocol levels with which clients will be able to | ||
| + | # connect. Disable SSLv2 and SSLv3 access by default: | ||
| + | SSLProtocol all -SSLv2 -SSLv3 | ||
| + | |||
| + | # SSL Cipher Suite: | ||
| + | # List the ciphers that the client is permitted to negotiate. | ||
| + | # See the mod_ssl documentation for a complete list. | ||
| + | SSLHonorCipherOrder On | ||
| + | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | ||
| + | |||
| + | # HSTS | ||
| + | # Do not allow unsecure connections to this site for the next 180 days (browser instruction) | ||
| + | Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"</nowiki> | ||
| + | |||
| + | = Server Name Indication = | ||
| + | |||
| + | Example configuration: | ||
| + | |||
| + | <nowiki><VirtualHost *:80> | ||
| + | ServerName omnis.wur.nl | ||
| + | # Port 80 redirected to port 443 | ||
| + | Redirect permanent / https://omnis.wur.nl/ | ||
| + | </VirtualHost> | ||
| + | |||
| + | <VirtualHost *:443> | ||
| + | ServerName omnis.wur.nl | ||
| + | ServerAlias omnis | ||
| + | |||
| + | SSLCertificateFile "/etc/httpd/conf.d/keys/omnis.crt" | ||
| + | SSLCertificateKeyFile "/etc/httpd/conf.d/keys/omnis.key" | ||
| + | SSLCertificateChainFile "/etc/httpd/conf.d/keys/CACert.crt" | ||
| + | SSLEngine On | ||
| + | SSLProtocol all -SSLv2 -SSLv3 | ||
| + | SSLHonorCipherOrder On | ||
| + | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | ||
| + | |||
| + | DocumentRoot /var/www/ | ||
| + | |||
| + | ErrorLog /var/log/httpd/omnis-error.log | ||
| + | CustomLog /var/log/httpd/omnis-access.log combined | ||
| + | |||
| + | ServerSignature Off | ||
| + | </VirtualHost></nowiki> | ||
Latest revision as of 11:13, 5 January 2018
Apache Hardening
Here are some general settings for hardening an Apache server, and their rationales.
| Directive and setting | Description/rationale |
|---|---|
| Uncomment LoadModule info_module modules/mod_info.so | gives out too much information about your web server to potential attackers. |
| Uncomment LoadModule status_module modules/mod_status.so | gives out server stats via web pages |
| Uncomment LoadModule userdir_module modules/mod_userdir.so | translates URLs to user-specific directories |
| Uncomment LoadModule autoindex_module modules/mod_autoindex.so | provides directory listings when no index.html file is present |
| AddIcon (remove) AddIconByEncoding (remove) AddIconByType (remove) DefaultIcon (remove) IndexOptions (remove) AddDescription (remove) ReadmeName (remove) HeaderName (remove) IndexIgnore (remove) |
Remove all references to these directives, since we disabled the fancy indexing module. |
| /manual | Remove manual pages |
| /icons | Remove icons |
| ServerSignature Off | Prevents server from giving version info on error pages. |
| ServerTokens Prod | Prevents server from giving version info in HTTP headers |
| TraceEnable Off | TraceEnable off causes the core server and mod_proxy to return a 405 FORBIDDEN error to the client. |
| UserDir disabled root | the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files. |
| FileETag MTime Size | Disable inode-based ETag generation in the Apache config. You can remove inode information from the ETag header by adding this directive to your Apache config. |
SSL
In order to configure SSL to be the most safe and secure, you need to make some asdustments to the Apache defaults.
The quickest way to do this is to go here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ and generate some defaults for the current environment - this document may get out of date related to cipher suites designated as insecure.
For WUR managed servers, we do this centrally through Puppet, which enables our users to not have to worry about this step. But here are some example secure configs:
# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 and SSLv3 access by default: SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS # HSTS # Do not allow unsecure connections to this site for the next 180 days (browser instruction) Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"
The following example is more secure, but less compatible, as it only allows TLS 1.2. This breaks compatiblity with old browsers such as Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, and Android 2.3. Java 7 also fails with this config:
# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 and SSLv3 access by default: SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # HSTS # Do not allow unsecure connections to this site for the next 180 days (browser instruction) Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"
Server Name Indication
Example configuration:
<VirtualHost *:80>
ServerName omnis.wur.nl
# Port 80 redirected to port 443
Redirect permanent / https://omnis.wur.nl/
</VirtualHost>
<VirtualHost *:443>
ServerName omnis.wur.nl
ServerAlias omnis
SSLCertificateFile "/etc/httpd/conf.d/keys/omnis.crt"
SSLCertificateKeyFile "/etc/httpd/conf.d/keys/omnis.key"
SSLCertificateChainFile "/etc/httpd/conf.d/keys/CACert.crt"
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
DocumentRoot /var/www/
ErrorLog /var/log/httpd/omnis-error.log
CustomLog /var/log/httpd/omnis-access.log combined
ServerSignature Off
</VirtualHost>
