Difference between revisions of "Apache"
Line 93: | Line 93: | ||
== SSL Providers == | == SSL Providers == | ||
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, contact http://eQuality-Tech.com | Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, contact http://eQuality-Tech.com | ||
+ | |||
+ | == Security == | ||
+ | Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs. | ||
+ | |||
+ | http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip | ||
+ | |||
+ | http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip | ||
+ | |||
+ | Thank the US tax payers =) | ||
[[Category:Howto]] | [[Category:Howto]] | ||
[[Category:Apache]] | [[Category:Apache]] | ||
[[Category:System Administration]] | [[Category:System Administration]] |
Revision as of 11:52, 30 May 2014
Contents
Docs[edit | edit source]
In addition to the extensive online documentation of the Apache project, you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
Secure Server[edit | edit source]
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is apache2 rather than httpd, so for finding out what modules are built-in or enabled you would type
sudo apache2 -l
If mod_ssl.so is not listed in the output, it can be easily enabled by using the a2enmod command
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
And then use that to create and store some randomness.
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
sudo openssl rsa -in server.key -out server.pem
Generate the signed certificate
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
Copy certificate over to the configuration directory
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
Modify the (default) configuration file (only if you want to change the available ciphers used)
sudo vi /etc/apache2/mods-available/ssl.conf
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
SSLCipherSuite HIGH:MEDIUM:!ADH
Now configure our directory paths, and permissions in an Apache configuration file
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
In addition to setting Document Root, I modified these two directives:
SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.pem
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
SSL Providers[edit | edit source]
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, contact http://eQuality-Tech.com
Security[edit | edit source]
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)