Difference between revisions of "Apache"

From The Linux Source
Jump to: navigation, search
(VHost Example)
(Proxy Example)
Line 120: Line 120:
 
     ServerName 172.16.1.11
 
     ServerName 172.16.1.11
 
     DocumentRoot /home/httpd/syslog1/public_html
 
     DocumentRoot /home/httpd/syslog1/public_html
 
+
 
     # ssl settings
 
     # ssl settings
 
     Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
 
     Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Line 127: Line 127:
 
     SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
 
     SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
 
     SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
 
     SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
     #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.crl.pem
+
     #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem
 
+
 
     # uncomment if used for the real url's below
 
     # uncomment if used for the real url's below
 
     # require client certs
 
     # require client certs
 
     #SSLVerifyClient require
 
     #SSLVerifyClient require
 
     #SSLVerifyDepth  10
 
     #SSLVerifyDepth  10
     #SSLCACertificateFile /etc/pki/tls/certs/yaanastaging.crt
+
     #SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt
 
  </VirtualHost>
 
  </VirtualHost>
 
+
 
  # real url's below
 
  # real url's below
 
  <VirtualHost 172.16.1.11:443>
 
  <VirtualHost 172.16.1.11:443>
Line 142: Line 142:
 
     DocumentRoot /home/httpd/syslog1/public_html
 
     DocumentRoot /home/httpd/syslog1/public_html
 
     ServerAdmin webmaster@example.com
 
     ServerAdmin webmaster@example.com
 
+
 
     SetOutputFilter DEFLATE
 
     SetOutputFilter DEFLATE
 
+
 
     # settings for being a proxy
 
     # settings for being a proxy
 
     ProxyTimeout 1200
 
     ProxyTimeout 1200
Line 167: Line 167:
 
     #ProxyPass / balancer://cluster1/app-path/
 
     #ProxyPass / balancer://cluster1/app-path/
 
     #ProxyPassReverse / balancer://cluster1/app-path/
 
     #ProxyPassReverse / balancer://cluster1/app-path/
 
+
 
     # turn on some minimal caching (on disk) - causes issues where authentication is used
 
     # turn on some minimal caching (on disk) - causes issues where authentication is used
 
     #CacheEnable disk /
 
     #CacheEnable disk /
Line 178: Line 178:
 
     #CacheMaxExpire 1209600
 
     #CacheMaxExpire 1209600
 
     #CacheIgnoreQueryString On
 
     #CacheIgnoreQueryString On
 
+
 
     # ssl settings
 
     # ssl settings
 
     Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
 
     Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Line 185: Line 185:
 
     SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
 
     SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
 
     SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
 
     SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
     #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.crl.pem
+
     #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem
 
+
 
     # require client certs
 
     # require client certs
 
     #SSLVerifyClient require
 
     #SSLVerifyClient require
 
     #SSLVerifyDepth  10
 
     #SSLVerifyDepth  10
     #SSLCACertificateFile /etc/pki/tls/certs/yaanastaging.crt
+
     #SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt
 
+
 
     # logging
 
     # logging
 
     ErrorLog logs/syslog1-error_log
 
     ErrorLog logs/syslog1-error_log

Revision as of 19:04, 9 May 2017

Policy

  • Unneeded/unused modules (in httpd.conf) must be disabled.
  • Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use a conf.d-run directory instead of conf.d).
  • Unused features (CGI/SSI/etc) must be disabled.
  • Directory listing from / (recursive from / on filesystem, i.e. not confined to document_root) must be disabled.
  • Server side TRACE/TRACK must be disabled, to minimize the attack surface of the apache authentication stack.
  • Any URL requiring authentication must use https.
  • Management/Status/Configuration pages such as; apache-info, apache-status, balancer-manager, jmx-console, web-console, etc. must be disallowed for any externally accessed URL's.
  • Name & URL's must be masked so that only the IP info is shown for any externally accessed URL's (see "mask server name & URL's" in "Vhost Example" section under "Apache").
  • A CentOS 7 Secure image must be used for web servers or proxy servers.
  • The configuration file must utilize the following approved SSL settings:
    • SSLProtocol all -SSLv2 -SSLv3
    • Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
    • Header onsuccess set Strict-Transport-Security "max-age=15768000;includeSubDomains"
    • SSLInsecureRenegotiation off
    • SSLHonorCipherOrder on
    • SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Overview

Our Changes
The Apache configuration has been modified slightly to address several security concerns.
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.
SSL/Certificates
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.
Note: 2.2.9 added support for ProxyPassReverse balancer://

Documentation References

Enterprise 6

http://httpd.apache.org/docs/2.2/
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
http://httpd.apache.org/docs/2.2/howto/auth.html

Enterprise 7

http://httpd.apache.org/docs/2.4/
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html
http://httpd.apache.org/docs/2.4/howto/auth.html

VHost Example

Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)

# mask server name & url's
<VirtualHost 172.16.1.11:443>
   ServerName 172.16.1.11
   DocumentRoot /home/httpd/syslog1/public_html

   # ssl settings
   Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
   #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.crl.pem

   # uncomment if used for the real url's below
   #SSLVerifyClient require
   #SSLVerifyDepth  10
   #SSLCACertificateFile /etc/pki/tls/certs/yaanastaging.crt
</VirtualHost>

# real url's below
<VirtualHost 172.16.1.11:443>
   ServerName syslog.example.com
   ServerAlias syslog1.prd.example.net syslog1
   DocumentRoot /home/httpd/syslog1/public_html
   ServerAdmin webmaster@example.com

   SetOutputFilter DEFLATE

   # settings for being a proxy
   #ProxyTimeout 1200
   #ProxyStatus Full
   #Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
   # load balancer settings for multiple app servers
   #<Proxy balancer://cluster1>
   #   BalancerMember http://172.16.1.12:8080 route=1
   #   BalancerMember http://172.16.1.13:8080 route=2
   #   ProxySet stickysession=ROUTEID
   #</Proxy>
   #ProxyPass        /apache-info      !
   #ProxyPass        /apache-status    !
   #ProxyPass        /balancer-manager !
   #ProxyPass        /jmx-console      !
   #ProxyPass        /web-console      !
   # single app server settings
   #ProxyPass        /               http://172.16.1.12:8080/app-path/
   #ProxyPassReverse /               http://172.16.1.12:8080/app-path/
   # multiple app servers settings
   #ProxyPass / balancer://cluster1/app-path/
   #ProxyPassReverse / balancer://cluster1/app-path/

   # turn on some minimal caching (on disk) - causes issues where authentication is used
   #CacheEnable disk /
   #CacheRoot "/var/cache/mod_proxy"
   #CacheDirLevels 3
   #CacheDirLength 5
   #CacheIgnoreCacheControl On
   #CacheMaxFileSize 100000
   #CacheIgnoreNoLastMod On
   #CacheMaxExpire 1209600
   #CacheIgnoreQueryString On

   # ssl settings
   Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
   #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.crl.pem

   # require client certs
   #SSLVerifyClient require
   #SSLVerifyDepth  10
   #SSLCACertificateFile /etc/pki/tls/certs/yaanastaging.crt

   # logging
   ErrorLog logs/syslog1-error_log
   # for log analyzers
   CustomLog logs/syslog1-access_log combined
   # for humans
   CustomLog logs/syslog1-custom_log custom
</VirtualHost>

VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir) All SSL* lines are ssl only, do not include these if not ssl/https Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)

Proxy Example

Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)

# mask server name & url's
<VirtualHost 172.16.1.11:443>
   ServerName 172.16.1.11
   DocumentRoot /home/httpd/syslog1/public_html

   # ssl settings
   Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
   #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

   # uncomment if used for the real url's below
   # require client certs
   #SSLVerifyClient require
   #SSLVerifyDepth  10
   #SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt
</VirtualHost>

# real url's below
<VirtualHost 172.16.1.11:443>
   ServerName syslog1.example.com
   ServerAlias syslog1.prd.example.net syslog1
   DocumentRoot /home/httpd/syslog1/public_html
   ServerAdmin webmaster@example.com

   SetOutputFilter DEFLATE

   # settings for being a proxy
   ProxyTimeout 1200
   ProxyStatus Full
   SSLProxyEngine on
   # load balancer settings for multiple app servers
   #Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
   #<Proxy balancer://cluster1>
   #   BalancerMember http://172.16.1.12:8080 route=1
   #   BalancerMember http://172.16.1.13:8080 route=2
   #   ProxySet stickysession=ROUTEID
   #</Proxy>
   ProxyPass        /apache-info      !
   ProxyPass        /apache-status    !
   ProxyPass        /balancer-manager !
   ProxyPass        /jmx-console      !
   ProxyPass        /web-console      !
   # single app server settings
   #ProxyPass        /               http://172.16.1.12:8080/app-path/
   #ProxyPassReverse /               http://172.16.1.12:8080/app-path/
   # multiple app servers settings (requires Header & Proxy balancer section above)
   #ProxyPass / balancer://cluster1/app-path/
   #ProxyPassReverse / balancer://cluster1/app-path/

   # turn on some minimal caching (on disk) - causes issues where authentication is used
   #CacheEnable disk /
   #CacheRoot "/var/cache/mod_proxy"
   #CacheDirLevels 3
   #CacheDirLength 5
   #CacheIgnoreCacheControl On
   #CacheMaxFileSize 100000
   #CacheIgnoreNoLastMod On
   #CacheMaxExpire 1209600
   #CacheIgnoreQueryString On

   # ssl settings
   Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
   SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
   #SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

   # require client certs
   #SSLVerifyClient require
   #SSLVerifyDepth  10
   #SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt

   # logging
   ErrorLog logs/syslog1-error_log
   # for log analyzers
   CustomLog logs/syslog1-access_log combined
   # for humans
   CustomLog logs/syslog1-custom_log custom
</VirtualHost>

SSL Example

We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect);

Note: for ent 7, the last line is Include conf.vhost-ssl.d/*.conf

##<VirtualHost _default_:443>

##SSLEngine on

#SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3

Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
SSLInsecureRenegotiation off
SSLHonorCipherOrder on
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

##SSLCertificateFile /etc/pki/tls/certs/localhost.crt

##SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#<Files ~ ".(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</Files>
#<Directory "/var/www/cgi-bin">
#    SSLOptions +StdEnvVars
#</Directory>

##</VirtualHost>

Include conf/vhost-ssl.d/*

Files/Directories Layout

Files

(before ent 7)

/etc/httpd/conf/httpd.conf - main config (available from subversion)
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)

(ent 7)

/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)

Dirs

Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).

(before ent 7)

/etc/httpd/
|-- conf            : (main apache conf dir)
|   |-- vhost-ssl.d : (ssl virtual host files)
|   `-- vhost.d     : (non-ssl virtual host files)
|-- conf.d          : (unused, new installs/updates go here)
|-- conf.d-run      : (real/runtime conf.d dir)
|-- logs            : (link to /var/log/httpd/)
|-- modules         : (link to /usr/lib64/httpd/modules/)
`-- run             : (link to /var/run/httpd/)

(ent 7)

/etc/httpd/
|-- conf               : (main apache conf dir)
|-- conf.d             : (unused, new installs/updates go here)
|-- conf.d-run         : (real/runtime conf.d dir)
|-- conf.modules.d     : (unused, new installs/updates go here)
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)
|-- conf.vhost-ssl.d   : (ssl virtual host files)
|-- conf.vhost.d       : (non-ssl virtual host files)
|-- logs               : (link to /var/log/httpd/)
|-- modules            : (link to /usr/lib64/httpd/modules/)
`-- run                : (link to /run/httpd/)

Apache Quick Reference

Commands

Preferred Restart (does not disconnect users/no downtime)

# service httpd graceful

Status

# service httpd status

Test Configuration

# service httpd configtest

Misc Settings

Port 80/http redirect to https

Redirect Permanent / https://wiki.example.com/

redirect to login page

Redirect Permanent / https://beagle.example.com/WORMS/login.htm

Enable compression

SetOutputFilter DEFLATE

Interesting URL's

https://hostname/apache-status (current traffic)
https://hostname/apache-info   (configuration)