Difference between revisions of "Apache"
(→SSL Providers: clarify) |
|||
(12 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | == Docs == | |
− | |||
− | ==Docs== | ||
In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar | In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar | ||
− | + | == Secure Server == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | ==Secure Server== | ||
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache | These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache | ||
Line 159: | Line 91: | ||
</source> | </source> | ||
− | ==SSL Providers== | + | == SSL Providers == |
− | Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. | + | Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, contact http://eQuality-Tech.com |
− | ==Security== | + | == Security == |
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs. | Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs. | ||
Line 171: | Line 103: | ||
Thank the US tax payers =) | Thank the US tax payers =) | ||
− | ==Support / Customization== | + | == Support / Customization == |
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache. | There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category:Howto]] | [[Category:Howto]] | ||
[[Category:Apache]] | [[Category:Apache]] | ||
[[Category:System Administration]] | [[Category:System Administration]] | ||
− | |||
− | |||
− |
Revision as of 12:09, 15 July 2014
Docs[edit | edit source]
In addition to the extensive online documentation of the Apache project, you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
Secure Server[edit | edit source]
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is apache2 rather than httpd, so for finding out what modules are built-in or enabled you would type
sudo apache2 -l
If mod_ssl.so is not listed in the output, it can be easily enabled by using the a2enmod command
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
And then use that to create and store some randomness.
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
sudo openssl rsa -in server.key -out server.pem
Generate the signed certificate
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
Copy certificate over to the configuration directory
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
Modify the (default) configuration file (only if you want to change the available ciphers used)
sudo vi /etc/apache2/mods-available/ssl.conf
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
SSLCipherSuite HIGH:MEDIUM:!ADH
Now configure our directory paths, and permissions in an Apache configuration file
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
In addition to setting Document Root, I modified these two directives:
SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.pem
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
SSL Providers[edit | edit source]
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, contact http://eQuality-Tech.com
Security[edit | edit source]
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)
Support / Customization[edit | edit source]
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.