Re: Securing apache
On 4/21/2014 1:25 PM, Jochen Spieker <firstname.lastname@example.org> wrote:
I use these settings and receive good results:
SSLProtocol all -SSLv2 -SSLv3
AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
Thanks Jochen, I have enabled the above, and nothing seems to have
broken, and I get much better looking results on the scanner...
I still get a few little red 'flags', about:
- which requires apache 2.3+
NPN unsupported (not in apache yet? and relies on SPDY)
I'm curious how many here enable the testing repo so they can run apache
2.4, which apparently is a bit more secure? If so, any gotchas or things
to be aware of?
I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Do not use it if some parts of your site should be accessible without
Hmmm... according to this:
it seems that you have to first enable the mod_headers module...
Am I correct that according to the debian way, this is already enabled,
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so ?
Then you have to add the above - actually, he suggests:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
and he also says to add it to both:
/etc/apache2/sites-enabled/mysite.conf and /etc/apache2/httpd.conf
Obviously I can add this to my site file, but I'm not sure what debian
file to add this to...?
Thanks again Jochen!