Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux_wiki:apache_http_server [2016/02/05 12:11] billdozor [Operation] |
linux_wiki:apache_http_server [2018/03/23 16:10] billdozor [SSL Verification] |
||
---|---|---|---|
Line 6: | Line 6: | ||
**Checklist** | **Checklist** | ||
- | * Distro: Enterprise Linux 6 or 7 | + | * Distro(s): Enterprise Linux 6/7 |
---- | ---- | ||
Line 16: | Line 16: | ||
---- | ---- | ||
- | ===== Repo Install | + | ===== Repo: EPEL ===== |
* CentOS 6.7: Apache 2.2 | * CentOS 6.7: Apache 2.2 | ||
Line 42: | Line 42: | ||
yum -y install mod_ssl | yum -y install mod_ssl | ||
</ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Repo: Software Collections ===== | ||
+ | |||
+ | Versions as of 04/13/2016: | ||
+ | * httpd 2.4 | ||
+ | |||
+ | - Add the [[linux_wiki: | ||
+ | - Install< | ||
+ | - Enable the software collection< | ||
+ | - Control operation as below. | ||
---- | ---- | ||
Line 100: | Line 112: | ||
* Default: NameVirtualHost *:80 (and commented out) | * Default: NameVirtualHost *:80 (and commented out) | ||
- | Disable Trace/Track (a XSS Vulnerability) | + | Security Configs |
<code bash> | <code bash> | ||
+ | ##-- Security --## | ||
+ | #- Information Disclosure -# | ||
+ | ServerTokens Prod | ||
+ | ServerSignature Off | ||
+ | |||
+ | # FileETag: File attributes used to create the ETag HTTP response header for static files | ||
+ | FileETag -INode +MTime +Size | ||
+ | |||
+ | #- Web Application Security -# | ||
+ | # Trace/Track - disabled for security purposes | ||
TraceEnable Off | TraceEnable Off | ||
+ | |||
+ | # Cross-Frame Scripting prevention (click jacking) | ||
+ | # DENY = Deny all attempts to frame the page | ||
+ | Header always append X-Frame-Options DENY | ||
+ | |||
+ | # Cross Site Scripting protection | ||
+ | Header set X-XSS-Protection "1; mode=block" | ||
+ | Header edit Set-Cookie ^(.*)$ $1; | ||
+ | ##-- End of Security Settings --## | ||
</ | </ | ||
Line 121: | Line 152: | ||
Protocol and Ciphers | Protocol and Ciphers | ||
<code bash> | <code bash> | ||
- | SSLProtocol | + | SSLProtocol TLSv1.2 |
- | SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM | + | SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE: |
</ | </ | ||
* Default SSLProtocol: | * Default SSLProtocol: | ||
Line 132: | Line 163: | ||
</ | </ | ||
- | ==== SSL Verification ==== | ||
- | Check what ciphers will be used given an Apache config | + | ---- |
- | <code bash> | + | |
- | openssl ciphers | + | |
- | </ | + | |
- | Verify server offered ciphers | + | ===== Other Security Settings ===== |
- | <code bash> | + | |
- | sslscan | + | Other important security settings. |
- | </ | + | |
- | * Look for " | + | ==== Redirect HTTP to HTTPS ==== |
+ | |||
+ | Redirect all HTTP to HTTPS<code bash>< | ||
+ | ServerName example.com | ||
+ | < | ||
+ | RewriteEngine On | ||
+ | RewriteCond %{HTTPS} off | ||
+ | RewriteRule (.*) https:// | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ==== HSTS ==== | ||
+ | |||
+ | Enabling HTTPS Strict Transport Security (HSTS). | ||
+ | |||
+ | Add the strict transport security header to the listening HTTPS host section | ||
+ | <code bash># Optionally load the headers module: | ||
+ | LoadModule headers_module modules/ | ||
+ | |||
+ | < | ||
+ | Header always set Strict-Transport-Security " | ||
+ | </ | ||
+ | * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. | ||
---- | ---- | ||
Line 260: | Line 311: | ||
---- | ---- | ||
- | ==== Start Now ==== | + | ==== Start ==== |
* Check syntax, if errors are found, refuse to start. | * Check syntax, if errors are found, refuse to start. | ||
Line 271: | Line 322: | ||
---- | ---- | ||
- | ==== Stop Now ==== | + | ==== Stop ==== |
* Immediately stop the httpd process and kill workers. | * Immediately stop the httpd process and kill workers. | ||
Line 295: | Line 346: | ||
---- | ---- | ||
- | ==== Restart | + | ==== Restart ==== |
* Check syntax, if errors are found, refuse to restart. | * Check syntax, if errors are found, refuse to restart. |