[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - Apache
Torge Riedel
torgeriedel at gmx.de
Fri Dec 22 12:50:47 CET 2017
Hi list,
one month ago I've set up a new server with Ubuntu 16.04 LTS and want to give feedback to the guides in the PDF. Starting here with Webserver "Apache":
# cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
# apachectl -V
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2017-09-18T15:09:02
Server's Module Magic Number: 20120211:52
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
# openssl version
OpenSSL 1.0.2g 1 Mar 2016
The guide "Webservers / Apache" is working for me, some remarks:
1.
Isn't
SSLEngine on
missing in the "Settings"?
2.
This is how it looks like if you use Let's Encrypt certs:
SSLCertificateFile /etc/letsencrypt/live/<mydomain>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<mydomain>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<mydomain>/fullchain.pem
3.
I did not set header "Public-Key-Pins" in my setup.
4.
I remember having problems with just doing a "Redirect permanent ...". I needed to configure Apache like this:
<VirtualHost *:80>
# always redirect everything to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
to allow redirection to https for every URI. I currently can't remember what went wrong causing me to solve it this way. Sorry.
5.
Don't know if this is out-of-scope, but some services running on my server do not care enough on security, so I have to set some additional headers to increase security. I am in contact with the communities to improve this in the services itself:
# Required modifications to pass a test in https://observatory.mozilla.org/
Header always set Content-Security-Policy "frame-ancestors 'none'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "no-referrer"
These are very strict settings and might break a service. Needs testing for each service!
Regards
Torge
More information about the Ach
mailing list