Differences

This shows you the differences between two versions of the page.

--- linux_wiki:apache_http_server [2016/02/05 12:10]
billdozor [Stop Now]
+++ linux_wiki:apache_http_server [2018/03/23 16:10]
billdozor [SSL Verification]
@@ Line 6: / Line 6: @@
 **Checklist**
-  * Distro: Enterprise Linux 6 or 7
+  * Distro(s): Enterprise Linux 6/7
 ----
@@ Line 16: / Line 16: @@
 ----
-===== Repo Install =====
+===== Repo: EPEL =====
   * CentOS 6.7: Apache 2.2
@@ Line 42: / Line 42: @@
 yum -y install mod_ssl
 </code>
+----
+===== Repo: Software Collections =====
+Versions as of 04/13/2016:
+  * httpd 2.4
+  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
+  - Install<code bash>yum install httpd24</code>
+  - Enable the software collection<code bash>scl enable httpd24 bash</code>
+    - Control operation as below.
 ----
@@ Line 100: / Line 112: @@
   * Default: NameVirtualHost *:80 (and commented out)
-Disable Trace/Track (a XSS Vulnerability)
+Security Configs
 <code bash>
+##-- Security --##
+#- Information Disclosure -#
+ServerTokens Prod
+ServerSignature Off
+# FileETag: File attributes used to create the ETag HTTP response header for static files
+FileETag -INode +MTime +Size
+#- Web Application Security -#
+# Trace/Track - disabled for security purposes
 TraceEnable Off
+# Cross-Frame Scripting prevention (click jacking)
+# DENY = Deny all attempts to frame the page
+Header always append X-Frame-Options DENY
+# Cross Site Scripting protection
+Header set X-XSS-Protection "1; mode=block"
+Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+##-- End of Security Settings --##
 </code>
@@ Line 121: / Line 152: @@
 Protocol and Ciphers
 <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1
+SSLProtocol TLSv1.2
-SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM
+SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
 </code>
   * Default SSLProtocol: all -SSLv2
@@ Line 132: / Line 163: @@
 </code>
-==== SSL Verification ====
-Check what ciphers will be used given an Apache config
+----
-<code bash>
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM'
-</code>
-Verify server offered ciphers
+===== Other Security Settings =====
-<code bash>
-sslscan --no-failed 10.1.2.3:443
+Other important security settings.
-</code>
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"
+==== Redirect HTTP to HTTPS ====
+Redirect all HTTP to HTTPS<code bash><VirtualHost *:80>
+  ServerName example.com
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+  </IfModule>
+</VirtualHost></code>
+----
+==== HSTS ====
+Enabling HTTPS Strict Transport Security (HSTS).
+Add the strict transport security header to the listening HTTPS host section
+<code bash># Optionally load the headers module:
+LoadModule headers_module modules/mod_headers.so
+<VirtualHost *:443>
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+</VirtualHost></code>
+  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
 ----
@@ Line 256: / Line 307: @@
 Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
-  * After sending a signal to httpd, watch its progress in the error_log file: $APACHE-ROOT/logs/error_log
+  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
 ----
-==== Start Now ====
+==== Start ====
   * Check syntax, if errors are found, refuse to start.
@@ Line 271: / Line 322: @@
 ----
-==== Stop Now ====
+==== Stop ====
   * Immediately stop the httpd process and kill workers.
@@ Line 295: / Line 346: @@
 ----
-==== Restart Now ====
+==== Restart ====
   * Check syntax, if errors are found, refuse to restart.