vendredi 21 mars 2014

Apache secure ssl

# see recent
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html

# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf

Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL

Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On

Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3

If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On

Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf

Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#

And uncomment it:

Options Indexes FollowSymLinks
AllowOverride None
Require all granted


By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf

And add:
FileETag MTime Size

Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.

Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.

I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.

#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem


#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf

#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem

#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:

SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"

(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)

Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem

Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:

BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf

First, take a look at this block, starting at line 55:
#
# Require all denied
#


If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:

Require all denied


Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"

And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"

Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"

#Close and save. Next, we will need to enable the modules
a2enmod ssl headers

#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf

# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load

#Disable the ‘default’ site:
a2dissite 000-default

Create dir for virtualhost

mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar

touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar

Next up, lets make a configuration

nano /etc/apache2/sites-available/sadar.conf

#----------------------------------------------------------------------------- sadar.conf -------------------------------------


ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On



ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off

DocumentRoot /srv/sadar

LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined

SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none


Options FollowSymLinks
AllowOverride None



Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all


HostnameLookups On
Proxyrequests On
ProxyVia full

AllowCONNECT 22


Order deny,allow
Deny from all



Order deny,allow
Allow from all





# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#---------------------------------------------------------------------------- sadar.conf -------------------------------------

# activate site
a2ensite sadar

#restart apache
service apache2 restart

# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X

Aucun commentaire:

Enregistrer un commentaire