Re: Securing apache

To: debian-user@lists.debian.org
Subject: Re: Securing apache
From: Tanstaafl <tanstaafl@libertytrek.org>
Date: Tue, 22 Apr 2014 08:42:41 -0400
Message-id: <[🔎] 535663C1.7020508@libertytrek.org>
In-reply-to: <[🔎] 20140421172501.GB28667@well-adjusted.de>
References: <[🔎] 53554D4A.1050303@libertytrek.org> <[🔎] 20140421172501.GB28667@well-adjusted.de>

On 4/21/2014 1:25 PM, Jochen Spieker <ml@well-adjusted.de> wrote:

I use these settings and receive good results:

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3

AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
prefer PFS.

Thanks Jochen, I have enabled the above, and nothing seems to havebroken, and I get much better looking results on the scanner...


I still get a few little red 'flags', about:

OCSP Stapling
 - which requires apache 2.3+

NPN unsupported (not in apache yet? and relies on SPDY)
 - https://issues.apache.org/bugzilla/show_bug.cgi?id=52210

Question...

I'm curious how many here enable the testing repo so they can run apache2.4, which apparently is a bit more secure? If so, any gotchas or thingsto be aware of?

Enable 'Strict-Transport-Security'


I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Do not use it if some parts of your site should be accessible without
SSL.


Hmmm... according to this:

https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html


it seems that you have to first enable the mod_headers module...

Am I correct that according to the debian way, this is already enabled,due to:


/etc/apache2/mods-enabled/header.load containing:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so  ?

Then you have to add the above - actually, he suggests:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"


and he also says to add it to both:

/etc/apache2/sites-enabled/mysite.conf and /etc/apache2/httpd.conf

Obviously I can add this to my site file, but I'm not sure what debianfile to add this to...?


Thanks again Jochen!

Reply to:

Follow-Ups:
- Re: Securing apache
  - From: Jochen Spieker <ml@well-adjusted.de>

References:
- Securing apache
  - From: Tanstaafl <tanstaafl@libertytrek.org>
- Re: Securing apache
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: ecryptfs being unmounted while user is still logged in
Next by Date: Re: Well I am in XFCE for right now since LDXE keeps crapping out
Previous by thread: Re: Securing apache
Next by thread: Re: Securing apache
Index(es):
- Date
- Thread