[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - Apache

Torge Riedel torgeriedel at gmx.de
Fri Dec 22 12:50:47 CET 2017

Hi list,

one month ago I've set up a new server with Ubuntu 16.04 LTS and want to give feedback to the guides in the PDF. Starting here with Webserver "Apache":

# cat /etc/os-release
VERSION="16.04.3 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.3 LTS"

# apachectl -V
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2017-09-18T15:09:02
Server's Module Magic Number: 20120211:52
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit

# openssl version
OpenSSL 1.0.2g  1 Mar 2016

The guide "Webservers / Apache" is working for me, some remarks:


   SSLEngine on

missing in the "Settings"?

This is how it looks like if you use Let's Encrypt certs:

   SSLCertificateFile /etc/letsencrypt/live/<mydomain>/cert.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/<mydomain>/privkey.pem
   SSLCertificateChainFile /etc/letsencrypt/live/<mydomain>/fullchain.pem

I did not set header "Public-Key-Pins" in my setup.

I remember having problems with just doing a "Redirect permanent ...". I needed to configure Apache like this:

<VirtualHost *:80>

   # always redirect everything to https
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

to allow redirection to https for every URI. I currently can't remember what went wrong causing me to solve it this way. Sorry.

Don't know if this is out-of-scope, but some services running on my server do not care enough on security, so I have to set some additional headers to increase security. I am in contact with the communities to improve this in the services itself:

   # Required modifications to pass a test in https://observatory.mozilla.org/
   Header always set Content-Security-Policy "frame-ancestors 'none'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'"
   Header always set X-Frame-Options "DENY"
   Header always set X-Content-Type-Options "nosniff"
   Header always set X-XSS-Protection "1; mode=block"
   Header always set Referrer-Policy "no-referrer"

These are very strict settings and might break a service. Needs testing for each service!


More information about the Ach mailing list