http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html
# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf
Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL
Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On
Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3
If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On
Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf
Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#
And uncomment it:
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf
And add:
FileETag MTime Size
Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.
Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.
I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.
#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf
#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem
#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:
SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"
(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)
Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem
Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf
First, take a look at this block, starting at line 55:
#
# Require all denied
#
If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:
Require all denied
Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"
And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"
Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"
#Close and save. Next, we will need to enable the modules
a2enmod ssl headers
#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf
# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load
#Disable the ‘default’ site:
a2dissite 000-default
Create dir for virtualhost
mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar
touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar
Next up, lets make a configuration
nano /etc/apache2/sites-available/sadar.conf
#----------------------------------------------------------------------------- sadar.conf -------------------------------------
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off
DocumentRoot /srv/sadar
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined
SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
HostnameLookups On
Proxyrequests On
ProxyVia full
AllowCONNECT 22
Order deny,allow
Deny from all
Order deny,allow
Allow from all
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#---------------------------------------------------------------------------- sadar.conf -------------------------------------
# activate site
a2ensite sadar
#restart apache
service apache2 restart
# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X
