Apache2

Contents

Apache2

Apache2 Documentation: http://httpd.apache.org/docs/

Recent Version

Recommended is to use the latest version of Apache which currently is 2.4.17 from Jessie.
Apache 2.4 new features: https://httpd.apache.org/docs/2.4/new_features_2_4.html
- Tends to utilize less memory than Apache2.2.
- Initial (while still experimental) support for the fast speedy successor http2.0.
- Additionally has "conf-enabled" to "mods-enabled" and "sites-enabled", which leaves a more consistent impression.
- Define statements simplify complex configurations.
- Macro support (i.e. for interesting vHost-Configuration).
- many more …

Useful Commands

   1 watch -n1 -- 'apache2ctl status'
   2 Every 1,0s: apache2ctl status
   3 
   4 Apache Server Status for localhost (via 127.0.0.1)
   5 
   6 Server Version: Apache/2.4.17 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141
   7     OpenSSL/1.0.2d
   8 Server MPM: prefork
   9 Server Built: 2015-11-23T18:52:09
  10 
  11 -------------------------------------------------------------------------------
  12 
  13 Current Time: Sunday, 13-Dec-2015 23:29:29 CET
  14 Restart Time: Sunday, 13-Dec-2015 14:46:46 CET
  15 Parent Server Config. Generation: 34
  16 Parent Server MPM Generation: 33
  17 Server uptime: 8 hours 42 minutes 43 seconds
  18 Server load: 0.05 0.03 0.05
  19 Total accesses: 620 - Total Traffic: 1.1 MB
  20 CPU Usage: u.03 s.02 cu0 cs0 - .000159% CPU load
  21 .0198 requests/sec - 38 B/second - 1940 B/request
  22 1 requests currently being processed, 6 idle workers
  23 
  24 ____W__.....
  25 ............
  26 ............
  27 
  28 Scoreboard Key:
  29 "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
  30 "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
  31 "C" Closing connection, "L" Logging, "G" Gracefully finishing,
  32 "I" Idle cleanup of worker, "." Open slot with no current process

Graceful restart webserver This let processes answer their pending jobs and restart them afterwards. This is not really compatible to systemd.

   1 apache2ctl graceful

Stop webserver

   1 apache2ctl stop

Start webserver

   1 apache2ctl start

List modules

   1 apache2ctl -M
   2 Loaded Modules:
   3  core_module (static)
   4  so_module (static)
   5  watchdog_module (static)
   6  http_module (static)
   7  log_config_module (static)
   8  logio_module (static)
   9  version_module (static)
  10  unixd_module (static)
  11  access_compat_module (shared)
  12  actions_module (shared)
  13  alias_module (shared)
  14  auth_basic_module (shared)
  15  authn_core_module (shared)
  16  authn_file_module (shared)
  17  authz_core_module (shared)
  18  authz_groupfile_module (shared)
  19  authz_host_module (shared)
  20  authz_user_module (shared)
  21  autoindex_module (shared)
  22  cgid_module (shared)
  23  deflate_module (shared)
  24  dir_module (shared)
  25  env_module (shared)
  26  fastcgi_module (shared)
  27  filter_module (shared)
  28  headers_module (shared)
  29  http2_module (shared)
  30  include_module (shared)
  31  mime_module (shared)
  32  mpm_event_module (shared)
  33  negotiation_module (shared)
  34  reqtimeout_module (shared)
  35  rewrite_module (shared)
  36  setenvif_module (shared)
  37  socache_shmcb_module (shared)
  38  ssl_module (shared)
  39  status_module (shared)

Hardening

Apache2.4: Security Tips

Basic Security

Forbid any access, can later be allowed in another directory/location directive.
Restrict server-version published on error-pages top the minor version of the server.
Show email-link to the webmaster on the error page reporting problems.
Forbid tracing, sniffing and nesting iframes using extended HTTP-X-Headers-Fields.

/etc/apache2/conf-enabled/security.conf

   1 #
   2 # Disable access to the entire file system except for the directories that
   3 # are explicitly allowed later.
   4 #
   5 # This currently breaks the configurations that come with some web application
   6 # Debian packages.
   7 #
   8 <Directory />
   9     AllowOverride None
  10     Require all denied
  11     ### Don't use the old access directives anymore with 2.4
  12     ### subsequent stuff will fail
  13     #Order Deny,Allow
  14     #Deny from all
  15 </Directory>
  16 
  17 
  18 # Changing the following options will not really affect the security of the
  19 # server, but might make attacks slightly more difficult in some cases.
  20 
  21 #
  22 # ServerTokens
  23 # This directive configures what you return as the Server HTTP response
  24 # Header. The default is 'Full' which sends information about the OS-Type
  25 # and compiled in modules.
  26 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
  27 # where Full conveys the most information, and Prod the least.
  28 #ServerTokens Minimal
  29 ServerTokens Minor
  30 #ServerTokens Full
  31 
  32 #
  33 # Optionally add a line containing the server version and virtual host
  34 # name to server-generated pages (internal error documents, FTP directory
  35 # listings, mod_status and mod_info output etc., but not CGI generated
  36 # documents or custom error documents).
  37 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
  38 # Set to one of:  On | Off | EMail
  39 #ServerSignature Off
  40 ServerSignature Email
  41 
  42 #
  43 # Allow TRACE method
  44 #
  45 # Set to "extended" to also reflect the request body (only for testing and
  46 # diagnostic purposes).
  47 #
  48 # Set to one of:  On | Off | extended
  49 TraceEnable Off
  50 #TraceEnable On
  51 
  52 #
  53 # Forbid access to version control directories
  54 #
  55 # If you use version control systems in your document root, you should
  56 # probably deny access to their directories. For example, for subversion:
  57 #
  58 #<DirectoryMatch "/\.svn">
  59 #   Require all denied
  60 #</DirectoryMatch>
  61 
  62 #
  63 # Setting this header will prevent MSIE from interpreting files as something
  64 # else than declared by the content type in the HTTP headers.
  65 # Requires mod_headers to be enabled.
  66 #
  67 Header set X-Content-Type-Options: "nosniff"
  68 
  69 #
  70 # Setting this header will prevent other sites from embedding pages from this
  71 # site as frames. This defends against clickjacking attacks.
  72 # Requires mod_headers to be enabled.
  73 #
  74 Header set X-Frame-Options: "sameorigin"
  75 
  76 
  77 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Additional X-Headers

/etc/apache2/conf-available/x-headers.conf

   1 ### Additional Header Fields
   2 
   3 ### X-Frame-Options
   4 # Provides Clickjacking protection. Values: deny - no rendering
   5 # within a frame, sameorigin - no rendering if origin mismatch,
   6 # allow-from: DOMAIN - allow rendering if framed by frame loaded
   7 # from DOMAIN
   8 Header set X-Frame-Options: deny
   9 
  10 ### X-XSS-Protection
  11 # This header enables the Cross-site scripting (XSS) filter built into
  12 # most recent web browsers. It's usually enabled by default anyway,
  13 # so the role of this header is to re-enable the filter for this
  14 # particular website if it was disabled by the user.
  15 Header set X-XSS-Protection: "1;mode=block"
  16 
  17 ### HTTP Strict-Transport-Security (HSTS)
  18 # enforces secure (HTTP over SSL/TLS) connections to the server. This
  19 # reduces impact of bugs in web applications leaking session data through
  20 # cookies and external links and defends against Man-in-the-middle attacks.
  21 # HSTS also disables the ability for user's to ignore SSL negotiation warnings. 
  22 #Header set Strict-Transport-Security: max-age=16070400; includeSubDomains

   1 a2enconf x-headers.conf
   2 Enabling conf x-headers.
   3 To activate the new configuration, you need to run:
   4   service apache2 reload

Test the headers

You can check the HTTP-Header-Fields in Browser using

Built in Webkonsole
- F12 -> Network Analysis || Menu -> Web Developer -> Network Analysis
- Click on a HTTP-Request
the extension "Live HTTP Headers".
- In URL-Field (Ctrl+L) -> (Lock) Symbol left of URL -> Button "more information" -> Header

Crypto-Hardening

Before using this config, please generate dh_parameters OpenSSL#Generate_or_renew_files_with_Diffie-Hellman-Parameters

   1 <IfModule mod_ssl.c>
   2         ### Mozilla SSL Configuration Generator
   3         ### https://mozilla.github.io/server-side-tls/ssl-config-generator/
   4 
   5         ### Mozilla recommendations for
   6         # Apache: 2.4.28
   7         # OpenSSL: 1.1.1b
   8 
   9         # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  10         Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
  11         #Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains;preload"
  12 
  13         # https://wiki.mozilla.org/Security/Server_Side_TLS
  14         # MODERN CONFIGURATION, TWEAK TO YOUR NEEDS
  15         ### THERE ARE SOME WEAK CIPHERS (ACCORODING TO SSL-LABS)
  16         ### IF THIS WEAKER CIPHERS IN CBC-MODE ARE MISSING IE AND SAFARI BREAK
  17         #   ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384: \
  18         #   ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
  19         ### DO NOT APPEND "@STRENGHT" THIS WOULD PULL WEAKER-CIPHERS TO THE FRONT
  20         ### FIXME: BREAK THIS LOG LINE (SOME ANY IDEAS?)
  21         Define CIPHER_LIST              ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  22 
  23         SSLCipherSuite                  ${CIPHER_LIST}
  24         SSLHonorCipherOrder             on
  25         ### Enabling compression causes security issues in most setups (the so called CRIME attack).
  26         SSLCompression                  off
  27         SSLSessionTickets               off
  28 
  29         SSLOptions                      +StrictRequire
  30         SSLVerifyDepth                  1
  31         SSLOpenSSLConfCmd               DHParameters    "/etc/ssl/dhparam/dhparam_4096.pem"
  32 
  33         # OCSP Stapling, only in httpd 2.3.3 and later
  34         SSLUseStapling                          on
  35         SSLStaplingResponderTimeout             5
  36         SSLStaplingReturnResponderErrors        off
  37         SSLStaplingCache                        shmcb:/var/run/ocsp(128000)
  38 
  39 
  40         ### FURTHER ADJUSTMENTS
  41         SSLProtocol                     TLSv1.3 +TLSv1.2
  42 
  43         SSLProxyEngine                  on
  44         SSLProxyCheckPeerCN             off
  45         SSLProxyCheckPeerExpire         off
  46         #SSLProxyCipherSuite            ALL:!ADH:!RC4:+HIGH:+MEDIUM
  47         SSLProxyCipherSuite             ${CIPHER_LIST}
  48 
  49         # Add vhost name to log entries:
  50         LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
  51         LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
  52 </IfModule>
  53 
  54 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Test Crypto

Qualys provides a good online scanner for http(s): https://www.ssllabs.com/ssltest/
https://testssl.sh/ is a on premisses solution that can e.g. be run via configuration management.

Performance Tuning

https://httpd.apache.org/docs/2.4/de/misc/perf-tuning.html

Virtual Hosts

I rather like using VirtualHosts than the server context.

The Webserver decides based on the Header Field "HOST" of the http-request which "vHost" should serve the response.

If one decides to set up different domain on top of the server (e.g. for Webmail), it is possible to configure each domain in another way (e.g. with different certificates or services). Parameters tuned in the server configuration are inherited, but can be overridden in the vHost-configuration.

Crypto-vHost

CypherPunks do encrypt - anything.

So a configuration may be derived from the template /etc/apache/sites-available/default-ssl.conf to /etc/apache/sites-available/mail.rockstable.org.conf.

   1 cp /etc/apache/sites-available/{default-ssl.conf,mail.rockstable.org_443.conf}

Configure the

ServerName
ServerAlias
redirection to webmailer
inclusion of the configuration files of the application (Kolab3 in my case).

/etc/apache2/sites-enabled/mail.rockstable.org_443.conf

   1 <IfModule mod_ssl.c>
   2         <VirtualHost *:443>
   3                 Define          SERVER_NAME             mail.rockstable.org
   4                 ServerName      ${SERVER_NAME}
   5                 ServerAlias     mail.rockstable.it
   6 
   7 #               DocumentRoot /var/www/html
   8 
   9                 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  10                 # error, crit, alert, emerg.
  11                 # It is also possible to configure the loglevel for particular
  12                 # modules, e.g.
  13                 #LogLevel info ssl:warn
  14 
  15                 ErrorLog        ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
  16                 CustomLog       ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
  17 
  18 
  19 ### SSL-CONFIG
  20                 # For most configuration files from conf-available/, which are
  21                 # enabled or disabled at a global level, it is possible to
  22                 # include a line for only one particular virtual host. For example the
  23                 # following line enables the CGI configuration for this host only
  24                 # after it has been globally disabled with "a2disconf".
  25                 #Include conf-available/serve-cgi-bin.conf
  26 
  27                 #   SSL Engine Switch:
  28                 #   Enable/Disable SSL for this virtual host.
  29                 SSLEngine on
  30 
  31                 #   A self-signed (snakeoil) certificate can be created by installing
  32                 #   the ssl-cert package. See
  33                 #   /usr/share/doc/apache2/README.Debian.gz for more info.
  34                 #   If both key and certificate are stored in the same file, only the
  35                 #   SSLCertificateFile directive is needed.
  36                 SSLCertificateFile              /etc/ssl/certs/ssl-cert-snakeoil.pem
  37                 SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
  38 
  39                 #   Server Certificate Chain:
  40                 #   Point SSLCertificateChainFile at a file containing the
  41                 #   concatenation of PEM encoded CA certificates which form the
  42                 #   certificate chain for the server certificate. Alternatively
  43                 #   the referenced file can be the same as SSLCertificateFile
  44                 #   when the CA certificates are directly appended to the server
  45                 #   certificate for convinience.
  46                 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
  47 
  48                 #   Certificate Authority (CA):
  49                 #   Set the CA certificate verification path where to find CA
  50                 #   certificates for client authentication or alternatively one
  51                 #   huge file containing all of them (file must be PEM encoded)
  52                 #   Note: Inside SSLCACertificatePath you need hash symlinks
  53                 #                to point to the certificate files. Use the provided
  54                 #                Makefile to update the hash symlinks after changes.
  55                 #SSLCACertificatePath /etc/ssl/certs/
  56                 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
  57 
  58                 #   Certificate Revocation Lists (CRL):
  59                 #   Set the CA revocation path where to find CA CRLs for client
  60                 #   authentication or alternatively one huge file containing all
  61                 #   of them (file must be PEM encoded)
  62                 #   Note: Inside SSLCARevocationPath you need hash symlinks
  63                 #                to point to the certificate files. Use the provided
  64                 #                Makefile to update the hash symlinks after changes.
  65                 #SSLCARevocationPath /etc/apache2/ssl.crl/
  66                 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
  67 
  68                 #   Client Authentication (Type):
  69                 #   Client certificate verification type and depth.  Types are
  70                 #   none, optional, require and optional_no_ca.  Depth is a
  71                 #   number which specifies how deeply to verify the certificate
  72                 #   issuer chain before deciding the certificate is not valid.
  73                 #SSLVerifyClient require
  74                 #SSLVerifyDepth  10
  75 
  76                 #   SSL Engine Options:
  77                 #   Set various options for the SSL engine.
  78                 #   o FakeBasicAuth:
  79                 #        Translate the client X.509 into a Basic Authorisation.  This means that
  80                 #        the standard Auth/DBMAuth methods can be used for access control.  The
  81                 #        user name is the `one line' version of the client's X.509 certificate.
  82                 #        Note that no password is obtained from the user. Every entry in the user
  83                 #        file needs this password: `xxj31ZMTZzkVA'.
  84                 #   o ExportCertData:
  85                 #        This exports two additional environment variables: SSL_CLIENT_CERT and
  86                 #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  87                 #        server (always existing) and the client (only existing when client
  88                 #        authentication is used). This can be used to import the certificates
  89                 #        into CGI scripts.
  90                 #   o StdEnvVars:
  91                 #        This exports the standard SSL/TLS related `SSL_*' environment variables.
  92                 #        Per default this exportation is switched off for performance reasons,
  93                 #        because the extraction step is an expensive operation and is usually
  94                 #        useless for serving static content. So one usually enables the
  95                 #        exportation for CGI and SSI requests only.
  96                 #   o OptRenegotiate:
  97                 #        This enables optimized SSL connection renegotiation handling when SSL
  98                 #        directives are used in per-directory context.
  99                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 100                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 101                                 SSLOptions +StdEnvVars
 102                 </FilesMatch>
 103                 <Directory /usr/lib/cgi-bin>
 104                                 SSLOptions +StdEnvVars
 105                 </Directory>
 106 
 107                 #   SSL Protocol Adjustments:
 108                 #   The safe and default but still SSL/TLS standard compliant shutdown
 109                 #   approach is that mod_ssl sends the close notify alert but doesn't wait for
 110                 #   the close notify alert from client. When you need a different shutdown
 111                 #   approach you can use one of the following variables:
 112                 #   o ssl-unclean-shutdown:
 113                 #        This forces an unclean shutdown when the connection is closed, i.e. no
 114                 #        SSL close notify alert is send or allowed to received.  This violates
 115                 #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
 116                 #        this when you receive I/O errors because of the standard approach where
 117                 #        mod_ssl sends the close notify alert.
 118                 #   o ssl-accurate-shutdown:
 119                 #        This forces an accurate shutdown when the connection is closed, i.e. a
 120                 #        SSL close notify alert is send and mod_ssl waits for the close notify
 121                 #        alert of the client. This is 100% SSL/TLS standard compliant, but in
 122                 #        practice often causes hanging connections with brain-dead browsers. Use
 123                 #        this only for browsers where you know that their SSL implementation
 124                 #        works correctly.
 125                 #   Notice: Most problems of broken clients are also related to the HTTP
 126                 #   keep-alive facility, so you usually additionally want to disable
 127                 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 128                 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 129                 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 130                 #   "force-response-1.0" for this.
 131                 BrowserMatch "MSIE [2-6]" \
 132                                 nokeepalive ssl-unclean-shutdown \
 133                                 downgrade-1.0 force-response-1.0
 134                 # MSIE 7 and newer should be able to use keepalive
 135                 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 136 
 137                 ### Redirect any request URI to the webserver root URI.
 138                 #RedirectMatch ^/$ "https://${SERVER_NAME}/webmail"
 139                 RewriteEngine on
 140                 RewriteCond %{HTTP_HOST}        !=${SERVER_NAME}
 141                 RewriteRule ^/(.*)$             https://${SERVER_NAME}/$1 [R=301,L]
 142 
 143                 ### PUT YOUR APPLICATION SPECIFIC CONFIGURATION HERE
 144                 #…
 145                 #…
 146         </VirtualHost>
 147 </IfModule>
 148 
 149 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

   1 root@mail /etc/apache2/sites-available # a2ensite mail.rockstable.org_443.conf
   2 Enabling site mail.rockstable.org_443.
   3 To activate the new configuration, you need to run:
   4   service apache2 reload

Redirection to https

Nobody wants to see always "403 Forbidden".

So for the reasons of usability and convenience i recommend configuring a simple port 80 plaintext-vHost listening on the same ServerName like the encrypted counterpart, whose only task is to redirect anything to the encrypted port.

   1 root@mail /etc/apache2/sites-available # cp /etc/apache/sites-available/{000-default.conf,mail.rockstable.org_80.conf}
   2

   1 <VirtualHost *:80>
   2     # The ServerName directive sets the request scheme, hostname and port that
   3     # the server uses to identify itself. This is used when creating
   4     # redirection URLs. In the context of virtual hosts, the ServerName
   5     # specifies what hostname must appear in the request's Host: header to
   6     # match this virtual host. For the default virtual host (this file) this
   7     # value is not decisive as it is used as a last resort host regardless.
   8     # However, you must set it for any further virtual host explicitly.
   9     Define      SERVER_NAME mail.rockstable.org
  10     ServerName  ${SERVER_NAME}
  11     ServerAlias mail.rockstable.it
  12 
  13     DocumentRoot /var/www/html
  14 
  15     # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  16     # error, crit, alert, emerg.
  17     # It is also possible to configure the loglevel for particular
  18     # modules, e.g.
  19     #LogLevel info ssl:warn
  20 
  21     ErrorLog    ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
  22     CustomLog   ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
  23 
  24     # For most configuration files from conf-available/, which are
  25     # enabled or disabled at a global level, it is possible to
  26     # include a line for only one particular virtual host. For example the
  27     # following line enables the CGI configuration for this host only
  28     # after it has been globally disabled with "a2disconf".
  29     #Include conf-available/serve-cgi-bin.conf
  30 
  31     ### Redirect anything up to the encrypted vHost
  32     ### (breaks /server-status if certificate is invalid)
  33     #RedirectMatch  ^/(.*)$                 https://${SERVER_NAME}/$1
  34 
  35     ### Finally nothing leads around mod_rewrite
  36     RewriteEngine on
  37     RewriteCond %{REQUEST_URI}      !=/server-status
  38     RewriteRule ^/(.*)$             https://%{HTTP_HOST}/$1 [R=301,L]
  39 </VirtualHost>
  40 
  41 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

   1 root@mail /etc/apache2/sites-available # a2ensite mail.rockstable.org_80.conf
   2 Enabling site mail.rockstable.org_80.
   3 To activate the new configuration, you need to run:
   4   service apache2 reload

Modules

Apache Documentation: http://httpd.apache.org/docs/2.4/mod/

mod_authz_host

Apache Documentation:

With Apache2.4 authorization directives order, allow, deny, satisfy got deprecated.

Be consequent!!

Use AuthMerging, AuthzProviderAlias, AuthzSendForbiddenOnFailure, Require, RequireAny, RequireAll, RequireNone instead!

Make sure your don't use the old syntax ins /etc/apache2/conf-available/security.conf or subsequent configuration like mod_status will fail.

mod_autoindex

Um dem Indexing ein wenig Pep zu verleihen nutze ich gern das Apaxy Projekt - ein Theme mit vorbereiteter Konfiguration.
- http://adamwhitcroft.com/apaxy/
- https://github.com/AdamWhitcroft/Apaxy
Zunächst wird das Projekt an die richtige Stelle geklont.

   1 cd /usr/local/share/
   2 git clone https://github.com/AdamWhitcroft/Apaxy

Damit die Änderungen bei allen Indizes auf dem Server ziehen, muss die Datei etc/apache2/mods-enabled/autoindex.conf zur Seite bewegt werden um die Defaults zu behalten.

   1 mv /etc/apache2/mods-available/autoindex.conf{,.bak}

Dann wird eine Kopie der Apaxy-.htaccess angefertigt und mit der Original-Konfiguration gemerged.
- Hinzugefügt wurden
  - <IfModule>
  - #vim modeline
  - <Directory>
- Angepasst wurden
  - IndexOptions
  - IndexHeadInsert
  - IndexIgnore
  - Etwas umformatiert
  - Alle relativen URIs theme/ wurden durch /theme/

   1 ### vim
   2 :%s#[, ]theme/# /theme/#
   3 ### sed
   4 sed -ir 's#([, ])theme/#\1/theme/#' /etc/apache2/mods-available/autoindex.conf

Hier die fertige Konfigurationsdatei /etc/apache2/mods-available/autoindex.conf

   1 <IfModule mod_autoindex.c>
   2         # Directives controlling the display of server-generated directory listings.
   3 
   4         #
   5         # Apaxy by @adamwhitcroft
   6         #
   7         # For a full breakdown of the mod_autoindex module:
   8         # http://apache.org/docs/2.2/mod/mod_autoindex.html
   9         #
  10 
  11         Alias /theme /usr/local/share/Apaxy/apaxy/theme 
  12         <Directory /usr/local/share/Apaxy/apaxy/theme>
  13                 Require all granted
  14         </Directory>
  15 
  16         <Directory /usr/local/share/Apaxy/apaxy/theme/icons>
  17                 Require all granted
  18         </Directory>
  19 
  20         # INDEX OPTIONS
  21         #IndexOptions   +Charset=UTF-8 +FancyIndexing +IgnoreCase +FoldersFirst +XHTML +HTMLTable +SuppressRules +SuppressDescription +NameWidth=* +IconsAreLinks
  22         IndexOptions    Charset=UTF-8 FancyIndexing IgnoreCase FoldersFirst XHTML HTMLTable SuppressRules SuppressDescription NameWidth=* IconsAreLinks FoldersFirst
  23 
  24         # META VIEWPORT
  25         IndexHeadInsert "  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />"
  26 
  27         # HIDE /theme DIRECTORY
  28         #IndexIgnore .htaccess /theme
  29         IndexIgnore .??* *~ *# RCS CVS *,v *,t /theme
  30 
  31         #
  32         # GENERAL ICONS (BLANK, DIRECTORY, PARENT DIRECTORY)
  33         #
  34 
  35         AddIcon /theme/icons/blank.png ^^BLANKICON^^
  36         AddIcon /theme/icons/folder.png ^^DIRECTORY^^
  37         AddIcon /theme/icons/folder-home.png ..
  38 
  39         AddIconByType (TXT,/theme/icons/text.png) text/*
  40         AddIconByType (IMG,/theme/icons/image.png) image/*
  41         AddIconByType (SND,/theme/icons/audio.png) audio/*
  42         AddIconByType (VID,/theme/icons/video.png) video/*
  43 
  44         #
  45         # EXTENSION SPECIFIC ICONS
  46         #
  47 
  48         AddIcon /theme/icons/archive.png .7z .bz2 .cab .gz .tar
  49         AddIcon /theme/icons/audio.png .aac .aif .aifc .aiff .ape .au .flac .iff .m4a .mid .mp3 .mpa .ra .wav .wma .f4a .f4b .oga .ogg .xm .it .s3m .mod
  50         AddIcon /theme/icons/bin.png .bin .hex
  51         AddIcon /theme/icons/bmp.png .bmp
  52         AddIcon /theme/icons/c.png .c
  53         AddIcon /theme/icons/calc.png .xlsx .xlsm .xltx .xltm .xlam .xlr .xls .csv
  54         AddIcon /theme/icons/cd.png .iso
  55         AddIcon /theme/icons/cpp.png .cpp
  56         AddIcon /theme/icons/css.png .css .sass .scss
  57         AddIcon /theme/icons/deb.png .deb
  58         AddIcon /theme/icons/doc.png .doc .docx .docm .dot .dotx .dotm .log .msg .odt .pages .rtf .tex .wpd .wps
  59         AddIcon /theme/icons/draw.png .svg .svgz
  60         AddIcon /theme/icons/eps.png .ai .eps
  61         AddIcon /theme/icons/exe.png .exe
  62         AddIcon /theme/icons/gif.png .gif
  63         AddIcon /theme/icons/h.png .h
  64         AddIcon /theme/icons/html.png .html .xhtml .shtml .htm .URL .url
  65         AddIcon /theme/icons/ico.png .ico
  66         AddIcon /theme/icons/java.png .jar
  67         AddIcon /theme/icons/jpg.png .jpg .jpeg .jpe
  68         AddIcon /theme/icons/js.png .js .json
  69         AddIcon /theme/icons/markdown.png .md
  70         AddIcon /theme/icons/package.png .pkg .dmg
  71         AddIcon /theme/icons/pdf.png .pdf
  72         AddIcon /theme/icons/php.png .php .phtml
  73         AddIcon /theme/icons/playlist.png .m3u .m3u8 .pls .pls8
  74         AddIcon /theme/icons/png.png .png
  75         AddIcon /theme/icons/ps.png .ps
  76         AddIcon /theme/icons/psd.png .psd
  77         AddIcon /theme/icons/py.png .py
  78         AddIcon /theme/icons/rar.png .rar
  79         AddIcon /theme/icons/rb.png .rb
  80         AddIcon /theme/icons/rpm.png .rpm
  81         AddIcon /theme/icons/rss.png .rss
  82         AddIcon /theme/icons/script.png .bat .cmd .sh
  83         AddIcon /theme/icons/sql.png .sql
  84         AddIcon /theme/icons/tiff.png .tiff .tif
  85         AddIcon /theme/icons/text.png .txt .nfo
  86         AddIcon /theme/icons/video.png .asf .asx .avi .flv .mkv .mov .mp4 .mpg .rm .srt .swf .vob .wmv .m4v .f4v .f4p .ogv
  87         AddIcon /theme/icons/xml.png .xml
  88         AddIcon /theme/icons/zip.png .zip
  89         DefaultIcon /theme/icons/default.png
  90 
  91         #
  92         # THEME FILES
  93         #
  94 
  95         HeaderName /theme/header.html
  96         ReadmeName /theme/footer.html
  97         IndexStyleSheet /theme/style.css
  98 
  99 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Dann noch Apache2 neustarten

   1 apache2ctl graceful

Wer jetzt noch Lust hat, sollte /usr/local/share/Apaxy/apaxy/theme/{header.html,footer.html,style.css} an den jeweiligen Geschmack anpassen.
Sieht jetzt besser aus.

mod_alias

Apache Documentation: https://httpd.apache.org/docs/2.4/mod/mod_alias.html
Offers Redirect, RedirectMatch, …
Allow delivery of "/icons" after disabling them during the #Hardening in security.conf -> allow from all

/etc/apache2/mods-available/alias.conf

   1 <IfModule alias_module>
   2     # Aliases: Add here as many aliases as you need (with no limit). The format is
   3     # Alias fakename realname
   4     #
   5     # Note that if you include a trailing / on fakename then the server will
   6     # require it to be present in the URL.  So "/icons" isn't aliased in this
   7     # example, only "/icons/".  If the fakename is slash-terminated, then the
   8     # realname must also be slash terminated, and if the fakename omits the
   9     # trailing slash, the realname must also omit it.
  10     #
  11     # We include the /icons/ alias for FancyIndexed directory listings.  If
  12     # you do not use FancyIndexing, you may comment this out.
  13 
  14     Alias /icons/ "/usr/share/apache2/icons/"
  15 
  16     <Directory "/usr/share/apache2/icons">
  17         Options FollowSymlinks
  18         AllowOverride None
  19         Require all granted
  20         Order Allow,Deny
  21         Allow from All
  22     </Directory>
  23 
  24 </IfModule>
  25 
  26 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mod_http2

Feature still experimental and changing
Let's try is out!
http/2 itself does not require encryption
- but there is currently no browser that supports http/2 without TLSv1.2
- so encryption is kind of mandatory
Apache-Documentation: https://httpd.apache.org/docs/2.4/mod/mod_http2.html
https://http2.github.io/faq/

/etc/apache2/mods-available/http2.conf

   1 ## h2c  -> http2 cleartext
   2 ## h2   -> http2 on TLS
   3 
   4 Protocols h2c h2 http/1.1
   5 
   6 #H2 Direct Protocol Switch
   7 # Best in VirtualHost
   8 #H2Direct on for h2c, off for h2 protocol
   9 #H2Direct on
  10 
  11 #Maximum number of active streams per HTTP/2 session.
  12 #H2MaxSessionStreams 100
  13 
  14 #Maximum number of seconds h2 workers remain idle until shut down.
  15 #H2MaxWorkerIdleSeconds 600
  16 
  17 #Maximum number of worker threads to use per child process.
  18 #H2MaxWorkers n
  19 
  20 #Minimal number of worker threads to use per child process.
  21 #H2MinWorkers n
  22 
  23 #Require HTTP/2 connections to be "modern TLS" only
  24 #H2ModernTLSOnly on
  25 
  26 #H2 Server Push Switch
  27 #H2Push on
  28 
  29 #H2PushPriority
  30 #H2PushPriority * After 16
  31 
  32 #Serialize Request/Response Processing Switch
  33 #H2SerializeHeaders off
  34 
  35 #Number of Extra File Handles
  36 #H2SessionExtraFiles 5
  37 
  38 #Maximum amount of output data buffered per stream.
  39 #H2StreamMaxMemSize 65536
  40 
  41 #
  42 #H2TLSCoolDownSecs 1
  43 
  44 #
  45 #H2TLSWarmUpSize 1048576
  46 
  47 #H2 Upgrade Protocol Switch
  48 # Best in VirtualHost
  49 #H2Upgrade on for h2c, off for h2 protocol
  50 #H2Upgrade on|off
  51 
  52 #Size of Stream Window for upstream data.
  53 #H2WindowSize 65536

   1 root@mail /etc/apache2 # a2enmod http2
   2 Enabling module http2.
   3 To activate the new configuration, you need to run:
   4   service apache2 restart

After a reload the server response is "HTTP/2.0 200 OK", nice!

mod_nss

https://fedorahosted.org/mod_nss/
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.
not really necessary

   1 root@mail ~log/apache2 # a2enmod nss
   2 Enabling module nss.
   3 To activate the new configuration, you need to run:
   4   service apache2 restart

mod_php5

Please consider using php5-fpm and mod_fastcgi, instead of mod_php5 (libapache2-mod-php5) with "suexec" or sth. comparable. It circumvents some security problems of the default configuration, where the interpreter of php is running in the context of "www-data", while it shouldn't be able to read and deliver some files (readable by the webserver) to the client.

mod_mpm_event

Apache Documentation: http://httpd.apache.org/docs/2.4/mod/event.html
Uses super-process to bind against Port 80 with root privileges, forks privilege seperated child processes, which do spawn a listener/supporter connections (which handles new and idle thread) and a amount of worker-threads (that do the work).
Worker derivate that handles idle connections by passing them to supporter threads and frees up system-resources and workers in that way.
Thanks to the setup with php5-fpm it works even with PHP applications, where with mod_php5 i formerly was forced to use mpm_prefork only.

   1 root@mail /etc/apache2 # a2dismod mpm_prefork
   2 Module mpm_prefork disabled.
   3 To activate the new configuration, you need to run:
   4   service apache2 restart
   5 root@mail /etc/apache2 # a2enmod mpm_event
   6 Considering conflict mpm_worker for mpm_event:
   7 Considering conflict mpm_prefork for mpm_event:
   8 Enabling module mpm_event.
   9 To activate the new configuration, you need to run:
  10   service apache2 restart
  11 root@mail /etc/apache2 # apache2ctl graceful
  12

mod_rewrite

Apache Documentation: https://httpd.apache.org/docs/current/mod/mod_rewrite.html
Extremly powerful module.
Extremly complex and complicated to maintain.
Unavoidable!
Is probably already enabled.

   1 root@mail /etc/apache2 # a2enmod rewrite
   2 Module rewrite already enabled

mod_ssl

Please see OpenSSL on first steps of preparation.

Apache Documentation: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

For me it's import to serve a clean, secure and state of the art configuration. So hardening of the ssl-stack is a mandtory.
- Always have that latest security patches for (lib|open)ssl, (lib)gnutls installed.
- Use strong crypto and disable broken suites, ciphers and hashes and don't let yourself be compromised by old clients and compatibilty. They're not worth it. (See man 1 ciphers). Disable:
  - Protocols:
    - SSLv2 (gone with openssl 1.0.1)
    - SSLv3 (vulnerable against POODLE)
    - TLSv1.0 (vulnerable against BEAST/POODLE)
    - TLSv1.1 can be left in the list of protocols for reasons of compatibilty (no known "real" vulnerabilities, yet)
  - CipherSuites
    - eNULL (no encryption)
    - aNULL (no authentication (e.g. anonymous diffie hellmann) ( vulnerable against Man In The Middle))
    - EXPORT (weakened and designed to be broken (40 and 56bits))
    - LOW (40 and 56 bit without exports)
    - NEDIUM (128bit ciphers) (but, we want strong crypto)
  - Ciphers
    - (A)RC4 terminally broken
    - (AES128 - Tried to exclude it, but this breaks compatibility with Iceweasel, no way…)
  - Hashes
    - MD5 (terminally broken, definitely insecure)
    - SHA1 (not free of collisions)
  - Order the string by cipher strength -> @STRENGTH

Default with openssl is currently 'ALL:!EXPORT:!aNULL:!eNULL:!SSLv2' So mine is:

   1 SSLCipherSuite @STRENGTH:HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!MD5:!SHA
   2 SSLProtocol TLSv1.2 +TLSv1.1 -SSLv2 -SSLv3 -TLSv1

Verify your SSLCipherSuite-String using:

   1 root@mail /etc/apache2 # openssl ciphers cipherlist '@STRENGTH:HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!MD5:!SHA'
   2 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256

/etc/apache2/mods-available/ssl.conf

   1 <IfModule mod_ssl.c>
   2 
   3     # Pseudo Random Number Generator (PRNG):
   4     # Configure one or more sources to seed the PRNG of the SSL library.
   5     # The seed data should be of good random quality.
   6     # WARNING! On some platforms /dev/random blocks if not enough entropy
   7     # is available. This means you then cannot use the /dev/random device
   8     # because it would lead to very long connection times (as long as
   9     # it requires to make more entropy available). But usually those
  10     # platforms additionally provide a /dev/urandom device which doesn't
  11     # block. So, if available, use this one instead. Read the mod_ssl User
  12     # Manual for more details.
  13     #
  14     SSLRandomSeed startup builtin
  15     SSLRandomSeed startup file:/dev/urandom 512
  16     SSLRandomSeed connect builtin
  17     SSLRandomSeed connect file:/dev/urandom 512
  18 
  19     ##
  20     ##  SSL Global Context
  21     ##
  22     ##  All SSL configuration in this context applies both to
  23     ##  the main server and all SSL-enabled virtual hosts.
  24     ##
  25 
  26     #
  27     #   Some MIME-types for downloading Certificates and CRLs
  28     #
  29     AddType application/x-x509-ca-cert .crt
  30     AddType application/x-pkcs7-crl .crl
  31 
  32     #   Pass Phrase Dialog:
  33     #   Configure the pass phrase gathering process.
  34     #   The filtering dialog program (`builtin' is a internal
  35     #   terminal dialog) has to provide the pass phrase on stdout.
  36     SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
  37 
  38     #   Inter-Process Session Cache:
  39     #   Configure the SSL Session Cache: First the mechanism 
  40     #   to use and second the expiring timeout (in seconds).
  41     #   (The mechanism dbm has known memory leaks and should not be used).
  42     #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
  43     SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  44     SSLSessionCacheTimeout  300
  45 
  46     #   Semaphore:
  47     #   Configure the path to the mutual exclusion semaphore the
  48     #   SSL engine uses internally for inter-process synchronization. 
  49     #   (Disabled by default, the global Mutex directive consolidates by default
  50     #   this)
  51     #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
  52 
  53 
  54     #   SSL Cipher Suite:
  55     #   List the ciphers that the client is permitted to negotiate. See the
  56     #   ciphers(1) man page from the openssl package for list of all available
  57     #   options.
  58     #   Enable only secure ciphers:
  59     SSLCipherSuite @STRENGTH:HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!MD5:!SHA
  60 
  61     # SSL server cipher order preference:
  62     # Use server priorities for cipher algorithm choice.
  63     # Clients may prefer lower grade encryption.  You should enable this
  64     # option if you want to enforce stronger encryption, and can afford
  65     # the CPU cost, and did not override SSLCipherSuite in a way that puts
  66     # insecure ciphers first.
  67     # Default: Off
  68     SSLHonorCipherOrder on
  69 
  70     #   The protocols to enable.
  71     #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
  72     #   SSL v2  is no longer supported
  73     SSLProtocol TLSv1.2 +TLSv1.1 -SSLv2 -SSLv2 -TLSv1
  74 
  75     #   Allow insecure renegotiation with clients which do not yet support the
  76     #   secure renegotiation protocol. Default: Off
  77     #SSLInsecureRenegotiation on
  78 
  79     #   Whether to forbid non-SNI clients to access name based virtual hosts.
  80     #   Default: Off
  81     #SSLStrictSNIVHostCheck On
  82 
  83 </IfModule>
  84 
  85 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

In the next step, test config, enable mod-ssl and restart the server.

   1 root@mail /etc/apache2/mods-available # apache2ctl configtest
   2 Syntax OK
   3 root@mail /etc/apache2 # a2enmod ssl
   4 Considering dependency setenvif for ssl:
   5 Module setenvif already enabled
   6 Considering dependency mime for ssl:
   7 Module mime already enabled
   8 Considering dependency socache_shmcb for ssl:
   9 Enabling module socache_shmcb.
  10 Enabling module ssl.
  11 See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
  12 To activate the new configuration, you need to run:
  13   service apache2 restart

Test it

After these steps a vHost listening on Port 443 should be established, to test the configuration please see #Crypto-vHost.

Here are some utilities to test the Webserver:

Qualys Test: https://www.ssllabs.com/ssltest/
- I landed on Grade "A-" besides the untrusted (self-signed) certificate. More on hardening the crypto later. Minimum requirement should be somewhat above Grade "B", like google provides (for compatibilty reasons) does.

mod_status

Apache-Dokumantation: http://httpd.apache.org/docs/2.4/mod/mod_status.html

With all requests on port 80 being redirected to 443 a little tweak to the way the apache2-status is fetched is nessesary: There are several possibilities:

The usage of mod_rewrite in the port 80 vhost circumvents this problems, but may offer slightly less performance.
The redirected vhost must (like below) be part of the whitelist-list of mod_status -> allow-from. Once we've got here a valid certificate installed, the traffic is even encrypted.
- A RedirectMatch can be placed to push any URI up to https like documented in #Redirection to https.
- If we like we can change the APACHE_STATUSURL in /etc/apache2/envvars to the encrypted path. The Host must be replaced with the FQDN (the !commonNameinthe subject) since the certificate is not valid for "localhost". APACHE_STATUSURL="https://mail.rockstable.org/server-status"

   1 <IfModule mod_status.c>
   2     # Allow server status reports generated by mod_status,
   3     # with the URL of http://servername/server-status
   4     # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
   5 
   6     <Location /server-status>
   7         SetHandler server-status
   8         Require local
   9         #Require ip 192.0.2.0/24
  10         ### Don't use the old stuff anymore
  11         #order deny,allow
  12         #deny from   all
  13         #allow from  localhost
  14         #allow from  mail.rockstable.org
  15     </Location>
  16 
  17     # Keep track of extended status information for each request
  18     ExtendedStatus On
  19 
  20     # Determine if mod_status displays the first 63 characters of a request or
  21     # the last 63, assuming the request itself is greater than 63 chars.
  22     # Default: Off
  23     #SeeRequestTail On
  24 
  25 
  26     <IfModule mod_proxy.c>
  27         # Show Proxy LoadBalancer status in mod_status
  28         ProxyStatus On
  29     </IfModule>
  30 
  31 
  32 </IfModule>
  33 
  34 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Configurations

Services

Sports

Navigation