[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing apache

On 4/21/2014 1:25 PM, Jochen Spieker <ml@well-adjusted.de> wrote:
I use these settings and receive good results:

SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
prefer PFS.

Thanks Jochen, I have enabled the above, and nothing seems to have broken, and I get much better looking results on the scanner...

I still get a few little red 'flags', about:

OCSP Stapling
 - which requires apache 2.3+

NPN unsupported (not in apache yet? and relies on SPDY)
 - https://issues.apache.org/bugzilla/show_bug.cgi?id=52210


I'm curious how many here enable the testing repo so they can run apache 2.4, which apparently is a bit more secure? If so, any gotchas or things to be aware of?

Enable 'Strict-Transport-Security'

I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Do not use it if some parts of your site should be accessible without

Hmmm... according to this:


it seems that you have to first enable the mod_headers module...

Am I correct that according to the debian way, this is already enabled, due to:

/etc/apache2/mods-enabled/header.load containing:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so  ?

Then you have to add the above - actually, he suggests:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

and he also says to add it to both:

/etc/apache2/sites-enabled/mysite.conf and /etc/apache2/httpd.conf

Obviously I can add this to my site file, but I'm not sure what debian file to add this to...?

Thanks again Jochen!

Reply to: