Apache2
Contents
Apache2 Documentation: http://httpd.apache.org/docs/
Recent Version
- Recommended is to use the latest version of Apache which currently is 2.4.17 from Jessie.
Apache 2.4 new features: https://httpd.apache.org/docs/2.4/new_features_2_4.html
- Tends to utilize less memory than Apache2.2.
- Initial (while still experimental) support for the fast speedy successor http2.0.
- Additionally has "conf-enabled" to "mods-enabled" and "sites-enabled", which leaves a more consistent impression.
- Define statements simplify complex configurations.
- Macro support (i.e. for interesting vHost-Configuration).
- many more …
Useful Commands
Server-Status #mod_status
1 watch -n1 -- 'apache2ctl status'
2 Every 1,0s: apache2ctl status
3
4 Apache Server Status for localhost (via 127.0.0.1)
5
6 Server Version: Apache/2.4.17 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141
7 OpenSSL/1.0.2d
8 Server MPM: prefork
9 Server Built: 2015-11-23T18:52:09
10
11 -------------------------------------------------------------------------------
12
13 Current Time: Sunday, 13-Dec-2015 23:29:29 CET
14 Restart Time: Sunday, 13-Dec-2015 14:46:46 CET
15 Parent Server Config. Generation: 34
16 Parent Server MPM Generation: 33
17 Server uptime: 8 hours 42 minutes 43 seconds
18 Server load: 0.05 0.03 0.05
19 Total accesses: 620 - Total Traffic: 1.1 MB
20 CPU Usage: u.03 s.02 cu0 cs0 - .000159% CPU load
21 .0198 requests/sec - 38 B/second - 1940 B/request
22 1 requests currently being processed, 6 idle workers
23
24 ____W__.....
25 ............
26 ............
27
28 Scoreboard Key:
29 "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
30 "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
31 "C" Closing connection, "L" Logging, "G" Gracefully finishing,
32 "I" Idle cleanup of worker, "." Open slot with no current process
Graceful restart webserver This let processes answer their pending jobs and restart them afterwards. This is not really compatible to systemd.
1 apache2ctl graceful
Stop webserver
1 apache2ctl stop
Start webserver
1 apache2ctl start
List modules
1 apache2ctl -M
2 Loaded Modules:
3 core_module (static)
4 so_module (static)
5 watchdog_module (static)
6 http_module (static)
7 log_config_module (static)
8 logio_module (static)
9 version_module (static)
10 unixd_module (static)
11 access_compat_module (shared)
12 actions_module (shared)
13 alias_module (shared)
14 auth_basic_module (shared)
15 authn_core_module (shared)
16 authn_file_module (shared)
17 authz_core_module (shared)
18 authz_groupfile_module (shared)
19 authz_host_module (shared)
20 authz_user_module (shared)
21 autoindex_module (shared)
22 cgid_module (shared)
23 deflate_module (shared)
24 dir_module (shared)
25 env_module (shared)
26 fastcgi_module (shared)
27 filter_module (shared)
28 headers_module (shared)
29 http2_module (shared)
30 include_module (shared)
31 mime_module (shared)
32 mpm_event_module (shared)
33 negotiation_module (shared)
34 reqtimeout_module (shared)
35 rewrite_module (shared)
36 setenvif_module (shared)
37 socache_shmcb_module (shared)
38 ssl_module (shared)
39 status_module (shared)
Hardening
Basic Security
- Forbid any access, can later be allowed in another directory/location directive.
- Restrict server-version published on error-pages top the minor version of the server.
- Show email-link to the webmaster on the error page reporting problems.
- Forbid tracing, sniffing and nesting iframes using extended HTTP-X-Headers-Fields.
/etc/apache2/conf-enabled/security.conf
1 #
2 # Disable access to the entire file system except for the directories that
3 # are explicitly allowed later.
4 #
5 # This currently breaks the configurations that come with some web application
6 # Debian packages.
7 #
8 <Directory />
9 AllowOverride None
10 Require all denied
11 ### Don't use the old access directives anymore with 2.4
12 ### subsequent stuff will fail
13 #Order Deny,Allow
14 #Deny from all
15 </Directory>
16
17
18 # Changing the following options will not really affect the security of the
19 # server, but might make attacks slightly more difficult in some cases.
20
21 #
22 # ServerTokens
23 # This directive configures what you return as the Server HTTP response
24 # Header. The default is 'Full' which sends information about the OS-Type
25 # and compiled in modules.
26 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
27 # where Full conveys the most information, and Prod the least.
28 #ServerTokens Minimal
29 ServerTokens Minor
30 #ServerTokens Full
31
32 #
33 # Optionally add a line containing the server version and virtual host
34 # name to server-generated pages (internal error documents, FTP directory
35 # listings, mod_status and mod_info output etc., but not CGI generated
36 # documents or custom error documents).
37 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
38 # Set to one of: On | Off | EMail
39 #ServerSignature Off
40 ServerSignature Email
41
42 #
43 # Allow TRACE method
44 #
45 # Set to "extended" to also reflect the request body (only for testing and
46 # diagnostic purposes).
47 #
48 # Set to one of: On | Off | extended
49 TraceEnable Off
50 #TraceEnable On
51
52 #
53 # Forbid access to version control directories
54 #
55 # If you use version control systems in your document root, you should
56 # probably deny access to their directories. For example, for subversion:
57 #
58 #<DirectoryMatch "/\.svn">
59 # Require all denied
60 #</DirectoryMatch>
61
62 #
63 # Setting this header will prevent MSIE from interpreting files as something
64 # else than declared by the content type in the HTTP headers.
65 # Requires mod_headers to be enabled.
66 #
67 Header set X-Content-Type-Options: "nosniff"
68
69 #
70 # Setting this header will prevent other sites from embedding pages from this
71 # site as frames. This defends against clickjacking attacks.
72 # Requires mod_headers to be enabled.
73 #
74 Header set X-Frame-Options: "sameorigin"
75
76
77 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Additional X-Headers
/etc/apache2/conf-available/x-headers.conf
1 ### Additional Header Fields
2
3 ### X-Frame-Options
4 # Provides Clickjacking protection. Values: deny - no rendering
5 # within a frame, sameorigin - no rendering if origin mismatch,
6 # allow-from: DOMAIN - allow rendering if framed by frame loaded
7 # from DOMAIN
8 Header set X-Frame-Options: deny
9
10 ### X-XSS-Protection
11 # This header enables the Cross-site scripting (XSS) filter built into
12 # most recent web browsers. It's usually enabled by default anyway,
13 # so the role of this header is to re-enable the filter for this
14 # particular website if it was disabled by the user.
15 Header set X-XSS-Protection: "1;mode=block"
16
17 ### HTTP Strict-Transport-Security (HSTS)
18 # enforces secure (HTTP over SSL/TLS) connections to the server. This
19 # reduces impact of bugs in web applications leaking session data through
20 # cookies and external links and defends against Man-in-the-middle attacks.
21 # HSTS also disables the ability for user's to ignore SSL negotiation warnings.
22 #Header set Strict-Transport-Security: max-age=16070400; includeSubDomains
Test the headers
You can check the HTTP-Header-Fields in Browser using
- Built in Webkonsole
F12 -> Network Analysis || Menu -> Web Developer -> Network Analysis
- Click on a HTTP-Request
- the extension "Live HTTP Headers".
In URL-Field (Ctrl+L) -> (Lock) Symbol left of URL -> Button "more information" -> Header
Crypto-Hardening
Before using this config, please generate dh_parameters OpenSSL#Generate_or_renew_files_with_Diffie-Hellman-Parameters
1 <IfModule mod_ssl.c>
2 ### Mozilla SSL Configuration Generator
3 ### https://mozilla.github.io/server-side-tls/ssl-config-generator/
4
5 ### Mozilla recommendations for
6 # Apache: 2.4.28
7 # OpenSSL: 1.1.1b
8
9 # HSTS (mod_headers is required) (15768000 seconds = 6 months)
10 Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
11 #Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains;preload"
12
13 # https://wiki.mozilla.org/Security/Server_Side_TLS
14 # MODERN CONFIGURATION, TWEAK TO YOUR NEEDS
15 ### THERE ARE SOME WEAK CIPHERS (ACCORODING TO SSL-LABS)
16 ### IF THIS WEAKER CIPHERS IN CBC-MODE ARE MISSING IE AND SAFARI BREAK
17 # ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384: \
18 # ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
19 ### DO NOT APPEND "@STRENGHT" THIS WOULD PULL WEAKER-CIPHERS TO THE FRONT
20 ### FIXME: BREAK THIS LOG LINE (SOME ANY IDEAS?)
21 Define CIPHER_LIST ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
22
23 SSLCipherSuite ${CIPHER_LIST}
24 SSLHonorCipherOrder on
25 ### Enabling compression causes security issues in most setups (the so called CRIME attack).
26 SSLCompression off
27 SSLSessionTickets off
28
29 SSLOptions +StrictRequire
30 SSLVerifyDepth 1
31 SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam/dhparam_4096.pem"
32
33 # OCSP Stapling, only in httpd 2.3.3 and later
34 SSLUseStapling on
35 SSLStaplingResponderTimeout 5
36 SSLStaplingReturnResponderErrors off
37 SSLStaplingCache shmcb:/var/run/ocsp(128000)
38
39
40 ### FURTHER ADJUSTMENTS
41 SSLProtocol TLSv1.3 +TLSv1.2
42
43 SSLProxyEngine on
44 SSLProxyCheckPeerCN off
45 SSLProxyCheckPeerExpire off
46 #SSLProxyCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM
47 SSLProxyCipherSuite ${CIPHER_LIST}
48
49 # Add vhost name to log entries:
50 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
51 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
52 </IfModule>
53
54 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Test Crypto
Qualys provides a good online scanner for http(s): https://www.ssllabs.com/ssltest/
https://testssl.sh/ is a on premisses solution that can e.g. be run via configuration management.
Performance Tuning
Virtual Hosts
I rather like using VirtualHosts than the server context.
The Webserver decides based on the Header Field "HOST" of the http-request which "vHost" should serve the response.
If one decides to set up different domain on top of the server (e.g. for Webmail), it is possible to configure each domain in another way (e.g. with different certificates or services). Parameters tuned in the server configuration are inherited, but can be overridden in the vHost-configuration.
Crypto-vHost
CypherPunks do encrypt - anything.
So a configuration may be derived from the template /etc/apache/sites-available/default-ssl.conf to /etc/apache/sites-available/mail.rockstable.org.conf.
1 cp /etc/apache/sites-available/{default-ssl.conf,mail.rockstable.org_443.conf}
Configure the
ServerName
ServerAlias
- redirection to webmailer
- inclusion of the configuration files of the application (Kolab3 in my case).
/etc/apache2/sites-enabled/mail.rockstable.org_443.conf
1 <IfModule mod_ssl.c>
2 <VirtualHost *:443>
3 Define SERVER_NAME mail.rockstable.org
4 ServerName ${SERVER_NAME}
5 ServerAlias mail.rockstable.it
6
7 # DocumentRoot /var/www/html
8
9 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
10 # error, crit, alert, emerg.
11 # It is also possible to configure the loglevel for particular
12 # modules, e.g.
13 #LogLevel info ssl:warn
14
15 ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
16 CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
17
18
19 ### SSL-CONFIG
20 # For most configuration files from conf-available/, which are
21 # enabled or disabled at a global level, it is possible to
22 # include a line for only one particular virtual host. For example the
23 # following line enables the CGI configuration for this host only
24 # after it has been globally disabled with "a2disconf".
25 #Include conf-available/serve-cgi-bin.conf
26
27 # SSL Engine Switch:
28 # Enable/Disable SSL for this virtual host.
29 SSLEngine on
30
31 # A self-signed (snakeoil) certificate can be created by installing
32 # the ssl-cert package. See
33 # /usr/share/doc/apache2/README.Debian.gz for more info.
34 # If both key and certificate are stored in the same file, only the
35 # SSLCertificateFile directive is needed.
36 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
37 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
38
39 # Server Certificate Chain:
40 # Point SSLCertificateChainFile at a file containing the
41 # concatenation of PEM encoded CA certificates which form the
42 # certificate chain for the server certificate. Alternatively
43 # the referenced file can be the same as SSLCertificateFile
44 # when the CA certificates are directly appended to the server
45 # certificate for convinience.
46 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
47
48 # Certificate Authority (CA):
49 # Set the CA certificate verification path where to find CA
50 # certificates for client authentication or alternatively one
51 # huge file containing all of them (file must be PEM encoded)
52 # Note: Inside SSLCACertificatePath you need hash symlinks
53 # to point to the certificate files. Use the provided
54 # Makefile to update the hash symlinks after changes.
55 #SSLCACertificatePath /etc/ssl/certs/
56 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
57
58 # Certificate Revocation Lists (CRL):
59 # Set the CA revocation path where to find CA CRLs for client
60 # authentication or alternatively one huge file containing all
61 # of them (file must be PEM encoded)
62 # Note: Inside SSLCARevocationPath you need hash symlinks
63 # to point to the certificate files. Use the provided
64 # Makefile to update the hash symlinks after changes.
65 #SSLCARevocationPath /etc/apache2/ssl.crl/
66 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
67
68 # Client Authentication (Type):
69 # Client certificate verification type and depth. Types are
70 # none, optional, require and optional_no_ca. Depth is a
71 # number which specifies how deeply to verify the certificate
72 # issuer chain before deciding the certificate is not valid.
73 #SSLVerifyClient require
74 #SSLVerifyDepth 10
75
76 # SSL Engine Options:
77 # Set various options for the SSL engine.
78 # o FakeBasicAuth:
79 # Translate the client X.509 into a Basic Authorisation. This means that
80 # the standard Auth/DBMAuth methods can be used for access control. The
81 # user name is the `one line' version of the client's X.509 certificate.
82 # Note that no password is obtained from the user. Every entry in the user
83 # file needs this password: `xxj31ZMTZzkVA'.
84 # o ExportCertData:
85 # This exports two additional environment variables: SSL_CLIENT_CERT and
86 # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
87 # server (always existing) and the client (only existing when client
88 # authentication is used). This can be used to import the certificates
89 # into CGI scripts.
90 # o StdEnvVars:
91 # This exports the standard SSL/TLS related `SSL_*' environment variables.
92 # Per default this exportation is switched off for performance reasons,
93 # because the extraction step is an expensive operation and is usually
94 # useless for serving static content. So one usually enables the
95 # exportation for CGI and SSI requests only.
96 # o OptRenegotiate:
97 # This enables optimized SSL connection renegotiation handling when SSL
98 # directives are used in per-directory context.
99 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
100 <FilesMatch "\.(cgi|shtml|phtml|php)$">
101 SSLOptions +StdEnvVars
102 </FilesMatch>
103 <Directory /usr/lib/cgi-bin>
104 SSLOptions +StdEnvVars
105 </Directory>
106
107 # SSL Protocol Adjustments:
108 # The safe and default but still SSL/TLS standard compliant shutdown
109 # approach is that mod_ssl sends the close notify alert but doesn't wait for
110 # the close notify alert from client. When you need a different shutdown
111 # approach you can use one of the following variables:
112 # o ssl-unclean-shutdown:
113 # This forces an unclean shutdown when the connection is closed, i.e. no
114 # SSL close notify alert is send or allowed to received. This violates
115 # the SSL/TLS standard but is needed for some brain-dead browsers. Use
116 # this when you receive I/O errors because of the standard approach where
117 # mod_ssl sends the close notify alert.
118 # o ssl-accurate-shutdown:
119 # This forces an accurate shutdown when the connection is closed, i.e. a
120 # SSL close notify alert is send and mod_ssl waits for the close notify
121 # alert of the client. This is 100% SSL/TLS standard compliant, but in
122 # practice often causes hanging connections with brain-dead browsers. Use
123 # this only for browsers where you know that their SSL implementation
124 # works correctly.
125 # Notice: Most problems of broken clients are also related to the HTTP
126 # keep-alive facility, so you usually additionally want to disable
127 # keep-alive for those clients, too. Use variable "nokeepalive" for this.
128 # Similarly, one has to force some clients to use HTTP/1.0 to workaround
129 # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
130 # "force-response-1.0" for this.
131 BrowserMatch "MSIE [2-6]" \
132 nokeepalive ssl-unclean-shutdown \
133 downgrade-1.0 force-response-1.0
134 # MSIE 7 and newer should be able to use keepalive
135 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
136
137 ### Redirect any request URI to the webserver root URI.
138 #RedirectMatch ^/$ "https://${SERVER_NAME}/webmail"
139 RewriteEngine on
140 RewriteCond %{HTTP_HOST} !=${SERVER_NAME}
141 RewriteRule ^/(.*)$ https://${SERVER_NAME}/$1 [R=301,L]
142
143 ### PUT YOUR APPLICATION SPECIFIC CONFIGURATION HERE
144 #…
145 #…
146 </VirtualHost>
147 </IfModule>
148
149 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Redirection to https
Nobody wants to see always "403 Forbidden".
So for the reasons of usability and convenience i recommend configuring a simple port 80 plaintext-vHost listening on the same ServerName like the encrypted counterpart, whose only task is to redirect anything to the encrypted port.
1 <VirtualHost *:80>
2 # The ServerName directive sets the request scheme, hostname and port that
3 # the server uses to identify itself. This is used when creating
4 # redirection URLs. In the context of virtual hosts, the ServerName
5 # specifies what hostname must appear in the request's Host: header to
6 # match this virtual host. For the default virtual host (this file) this
7 # value is not decisive as it is used as a last resort host regardless.
8 # However, you must set it for any further virtual host explicitly.
9 Define SERVER_NAME mail.rockstable.org
10 ServerName ${SERVER_NAME}
11 ServerAlias mail.rockstable.it
12
13 DocumentRoot /var/www/html
14
15 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
16 # error, crit, alert, emerg.
17 # It is also possible to configure the loglevel for particular
18 # modules, e.g.
19 #LogLevel info ssl:warn
20
21 ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
22 CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
23
24 # For most configuration files from conf-available/, which are
25 # enabled or disabled at a global level, it is possible to
26 # include a line for only one particular virtual host. For example the
27 # following line enables the CGI configuration for this host only
28 # after it has been globally disabled with "a2disconf".
29 #Include conf-available/serve-cgi-bin.conf
30
31 ### Redirect anything up to the encrypted vHost
32 ### (breaks /server-status if certificate is invalid)
33 #RedirectMatch ^/(.*)$ https://${SERVER_NAME}/$1
34
35 ### Finally nothing leads around mod_rewrite
36 RewriteEngine on
37 RewriteCond %{REQUEST_URI} !=/server-status
38 RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
39 </VirtualHost>
40
41 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Modules
Apache Documentation: http://httpd.apache.org/docs/2.4/mod/
mod_authz_host
- Apache Documentation:
With Apache2.4 authorization directives order, allow, deny, satisfy got deprecated.
Be consequent!!
Use AuthMerging, AuthzProviderAlias, AuthzSendForbiddenOnFailure, Require, RequireAny, RequireAll, RequireNone instead!
Make sure your don't use the old syntax ins /etc/apache2/conf-available/security.conf or subsequent configuration like mod_status will fail.
mod_autoindex
- Um dem Indexing ein wenig Pep zu verleihen nutze ich gern das Apaxy Projekt - ein Theme mit vorbereiteter Konfiguration.
- Zunächst wird das Projekt an die richtige Stelle geklont.
Damit die Änderungen bei allen Indizes auf dem Server ziehen, muss die Datei etc/apache2/mods-enabled/autoindex.conf zur Seite bewegt werden um die Defaults zu behalten.
1 mv /etc/apache2/mods-available/autoindex.conf{,.bak}
- Dann wird eine Kopie der Apaxy-.htaccess angefertigt und mit der Original-Konfiguration gemerged.
- Hinzugefügt wurden
<IfModule>
#vim modeline
<Directory>
- Angepasst wurden
IndexOptions
IndexHeadInsert
IndexIgnore
- Etwas umformatiert
Alle relativen URIs theme/ wurden durch /theme/
- Hinzugefügt wurden
Hier die fertige Konfigurationsdatei /etc/apache2/mods-available/autoindex.conf
1 <IfModule mod_autoindex.c>
2 # Directives controlling the display of server-generated directory listings.
3
4 #
5 # Apaxy by @adamwhitcroft
6 #
7 # For a full breakdown of the mod_autoindex module:
8 # http://apache.org/docs/2.2/mod/mod_autoindex.html
9 #
10
11 Alias /theme /usr/local/share/Apaxy/apaxy/theme
12 <Directory /usr/local/share/Apaxy/apaxy/theme>
13 Require all granted
14 </Directory>
15
16 <Directory /usr/local/share/Apaxy/apaxy/theme/icons>
17 Require all granted
18 </Directory>
19
20 # INDEX OPTIONS
21 #IndexOptions +Charset=UTF-8 +FancyIndexing +IgnoreCase +FoldersFirst +XHTML +HTMLTable +SuppressRules +SuppressDescription +NameWidth=* +IconsAreLinks
22 IndexOptions Charset=UTF-8 FancyIndexing IgnoreCase FoldersFirst XHTML HTMLTable SuppressRules SuppressDescription NameWidth=* IconsAreLinks FoldersFirst
23
24 # META VIEWPORT
25 IndexHeadInsert " <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />"
26
27 # HIDE /theme DIRECTORY
28 #IndexIgnore .htaccess /theme
29 IndexIgnore .??* *~ *# RCS CVS *,v *,t /theme
30
31 #
32 # GENERAL ICONS (BLANK, DIRECTORY, PARENT DIRECTORY)
33 #
34
35 AddIcon /theme/icons/blank.png ^^BLANKICON^^
36 AddIcon /theme/icons/folder.png ^^DIRECTORY^^
37 AddIcon /theme/icons/folder-home.png ..
38
39 AddIconByType (TXT,/theme/icons/text.png) text/*
40 AddIconByType (IMG,/theme/icons/image.png) image/*
41 AddIconByType (SND,/theme/icons/audio.png) audio/*
42 AddIconByType (VID,/theme/icons/video.png) video/*
43
44 #
45 # EXTENSION SPECIFIC ICONS
46 #
47
48 AddIcon /theme/icons/archive.png .7z .bz2 .cab .gz .tar
49 AddIcon /theme/icons/audio.png .aac .aif .aifc .aiff .ape .au .flac .iff .m4a .mid .mp3 .mpa .ra .wav .wma .f4a .f4b .oga .ogg .xm .it .s3m .mod
50 AddIcon /theme/icons/bin.png .bin .hex
51 AddIcon /theme/icons/bmp.png .bmp
52 AddIcon /theme/icons/c.png .c
53 AddIcon /theme/icons/calc.png .xlsx .xlsm .xltx .xltm .xlam .xlr .xls .csv
54 AddIcon /theme/icons/cd.png .iso
55 AddIcon /theme/icons/cpp.png .cpp
56 AddIcon /theme/icons/css.png .css .sass .scss
57 AddIcon /theme/icons/deb.png .deb
58 AddIcon /theme/icons/doc.png .doc .docx .docm .dot .dotx .dotm .log .msg .odt .pages .rtf .tex .wpd .wps
59 AddIcon /theme/icons/draw.png .svg .svgz
60 AddIcon /theme/icons/eps.png .ai .eps
61 AddIcon /theme/icons/exe.png .exe
62 AddIcon /theme/icons/gif.png .gif
63 AddIcon /theme/icons/h.png .h
64 AddIcon /theme/icons/html.png .html .xhtml .shtml .htm .URL .url
65 AddIcon /theme/icons/ico.png .ico
66 AddIcon /theme/icons/java.png .jar
67 AddIcon /theme/icons/jpg.png .jpg .jpeg .jpe
68 AddIcon /theme/icons/js.png .js .json
69 AddIcon /theme/icons/markdown.png .md
70 AddIcon /theme/icons/package.png .pkg .dmg
71 AddIcon /theme/icons/pdf.png .pdf
72 AddIcon /theme/icons/php.png .php .phtml
73 AddIcon /theme/icons/playlist.png .m3u .m3u8 .pls .pls8
74 AddIcon /theme/icons/png.png .png
75 AddIcon /theme/icons/ps.png .ps
76 AddIcon /theme/icons/psd.png .psd
77 AddIcon /theme/icons/py.png .py
78 AddIcon /theme/icons/rar.png .rar
79 AddIcon /theme/icons/rb.png .rb
80 AddIcon /theme/icons/rpm.png .rpm
81 AddIcon /theme/icons/rss.png .rss
82 AddIcon /theme/icons/script.png .bat .cmd .sh
83 AddIcon /theme/icons/sql.png .sql
84 AddIcon /theme/icons/tiff.png .tiff .tif
85 AddIcon /theme/icons/text.png .txt .nfo
86 AddIcon /theme/icons/video.png .asf .asx .avi .flv .mkv .mov .mp4 .mpg .rm .srt .swf .vob .wmv .m4v .f4v .f4p .ogv
87 AddIcon /theme/icons/xml.png .xml
88 AddIcon /theme/icons/zip.png .zip
89 DefaultIcon /theme/icons/default.png
90
91 #
92 # THEME FILES
93 #
94
95 HeaderName /theme/header.html
96 ReadmeName /theme/footer.html
97 IndexStyleSheet /theme/style.css
98
99 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
- Dann noch Apache2 neustarten
1 apache2ctl graceful
Wer jetzt noch Lust hat, sollte /usr/local/share/Apaxy/apaxy/theme/{header.html,footer.html,style.css} an den jeweiligen Geschmack anpassen.
Sieht jetzt besser aus.
mod_alias
Apache Documentation: https://httpd.apache.org/docs/2.4/mod/mod_alias.html
Offers Redirect, RedirectMatch, …
Allow delivery of "/icons" after disabling them during the #Hardening in security.conf -> allow from all
/etc/apache2/mods-available/alias.conf
1 <IfModule alias_module>
2 # Aliases: Add here as many aliases as you need (with no limit). The format is
3 # Alias fakename realname
4 #
5 # Note that if you include a trailing / on fakename then the server will
6 # require it to be present in the URL. So "/icons" isn't aliased in this
7 # example, only "/icons/". If the fakename is slash-terminated, then the
8 # realname must also be slash terminated, and if the fakename omits the
9 # trailing slash, the realname must also omit it.
10 #
11 # We include the /icons/ alias for FancyIndexed directory listings. If
12 # you do not use FancyIndexing, you may comment this out.
13
14 Alias /icons/ "/usr/share/apache2/icons/"
15
16 <Directory "/usr/share/apache2/icons">
17 Options FollowSymlinks
18 AllowOverride None
19 Require all granted
20 Order Allow,Deny
21 Allow from All
22 </Directory>
23
24 </IfModule>
25
26 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
mod_http2
Feature still experimental and changing
- Let's try is out!
- http/2 itself does not require encryption
but there is currently no browser that supports http/2 without TLSv1.2
- so encryption is kind of mandatory
Apache-Documentation: https://httpd.apache.org/docs/2.4/mod/mod_http2.html
/etc/apache2/mods-available/http2.conf
1 ## h2c -> http2 cleartext
2 ## h2 -> http2 on TLS
3
4 Protocols h2c h2 http/1.1
5
6 #H2 Direct Protocol Switch
7 # Best in VirtualHost
8 #H2Direct on for h2c, off for h2 protocol
9 #H2Direct on
10
11 #Maximum number of active streams per HTTP/2 session.
12 #H2MaxSessionStreams 100
13
14 #Maximum number of seconds h2 workers remain idle until shut down.
15 #H2MaxWorkerIdleSeconds 600
16
17 #Maximum number of worker threads to use per child process.
18 #H2MaxWorkers n
19
20 #Minimal number of worker threads to use per child process.
21 #H2MinWorkers n
22
23 #Require HTTP/2 connections to be "modern TLS" only
24 #H2ModernTLSOnly on
25
26 #H2 Server Push Switch
27 #H2Push on
28
29 #H2PushPriority
30 #H2PushPriority * After 16
31
32 #Serialize Request/Response Processing Switch
33 #H2SerializeHeaders off
34
35 #Number of Extra File Handles
36 #H2SessionExtraFiles 5
37
38 #Maximum amount of output data buffered per stream.
39 #H2StreamMaxMemSize 65536
40
41 #
42 #H2TLSCoolDownSecs 1
43
44 #
45 #H2TLSWarmUpSize 1048576
46
47 #H2 Upgrade Protocol Switch
48 # Best in VirtualHost
49 #H2Upgrade on for h2c, off for h2 protocol
50 #H2Upgrade on|off
51
52 #Size of Stream Window for upstream data.
53 #H2WindowSize 65536
- After a reload the server response is "HTTP/2.0 200 OK", nice!
mod_nss
- mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.
not really necessary
mod_php5
Please consider using php5-fpm and mod_fastcgi, instead of mod_php5 (libapache2-mod-php5) with "suexec" or sth. comparable. It circumvents some security problems of the default configuration, where the interpreter of php is running in the context of "www-data", while it shouldn't be able to read and deliver some files (readable by the webserver) to the client.
mod_mpm_event
Apache Documentation: http://httpd.apache.org/docs/2.4/mod/event.html
- Uses super-process to bind against Port 80 with root privileges, forks privilege seperated child processes, which do spawn a listener/supporter connections (which handles new and idle thread) and a amount of worker-threads (that do the work).
- Worker derivate that handles idle connections by passing them to supporter threads and frees up system-resources and workers in that way.
Thanks to the setup with php5-fpm it works even with PHP applications, where with mod_php5 i formerly was forced to use mpm_prefork only.
1 root@mail /etc/apache2 # a2dismod mpm_prefork
2 Module mpm_prefork disabled.
3 To activate the new configuration, you need to run:
4 service apache2 restart
5 root@mail /etc/apache2 # a2enmod mpm_event
6 Considering conflict mpm_worker for mpm_event:
7 Considering conflict mpm_prefork for mpm_event:
8 Enabling module mpm_event.
9 To activate the new configuration, you need to run:
10 service apache2 restart
11 root@mail /etc/apache2 # apache2ctl graceful
12
mod_rewrite
Apache Documentation: https://httpd.apache.org/docs/current/mod/mod_rewrite.html
- Extremly powerful module.
- Extremly complex and complicated to maintain.
- Unavoidable!
- Is probably already enabled.
mod_ssl
Please see OpenSSL on first steps of preparation.
Apache Documentation: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
- For me it's import to serve a clean, secure and state of the art configuration. So hardening of the ssl-stack is a mandtory.
- Always have that latest security patches for (lib|open)ssl, (lib)gnutls installed.
- Use strong crypto and disable broken suites, ciphers and hashes and don't let yourself be compromised by old clients and compatibilty. They're not worth it. (See man 1 ciphers). Disable:
- Protocols:
- SSLv2 (gone with openssl 1.0.1)
SSLv3 (vulnerable against POODLE)
- TLSv1.0 (vulnerable against BEAST/POODLE)
- TLSv1.1 can be left in the list of protocols for reasons of compatibilty (no known "real" vulnerabilities, yet)
CipherSuites
- eNULL (no encryption)
- aNULL (no authentication (e.g. anonymous diffie hellmann) ( vulnerable against Man In The Middle))
- EXPORT (weakened and designed to be broken (40 and 56bits))
- LOW (40 and 56 bit without exports)
- NEDIUM (128bit ciphers) (but, we want strong crypto)
- Ciphers
- (A)RC4 terminally broken
- (AES128 - Tried to exclude it, but this breaks compatibility with Iceweasel, no way…)
- Hashes
- MD5 (terminally broken, definitely insecure)
- SHA1 (not free of collisions)
Order the string by cipher strength -> @STRENGTH
- Protocols:
Default with openssl is currently 'ALL:!EXPORT:!aNULL:!eNULL:!SSLv2' So mine is:
Verify your SSLCipherSuite-String using:
1 root@mail /etc/apache2 # openssl ciphers cipherlist '@STRENGTH:HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!MD5:!SHA'
2 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
/etc/apache2/mods-available/ssl.conf
1 <IfModule mod_ssl.c>
2
3 # Pseudo Random Number Generator (PRNG):
4 # Configure one or more sources to seed the PRNG of the SSL library.
5 # The seed data should be of good random quality.
6 # WARNING! On some platforms /dev/random blocks if not enough entropy
7 # is available. This means you then cannot use the /dev/random device
8 # because it would lead to very long connection times (as long as
9 # it requires to make more entropy available). But usually those
10 # platforms additionally provide a /dev/urandom device which doesn't
11 # block. So, if available, use this one instead. Read the mod_ssl User
12 # Manual for more details.
13 #
14 SSLRandomSeed startup builtin
15 SSLRandomSeed startup file:/dev/urandom 512
16 SSLRandomSeed connect builtin
17 SSLRandomSeed connect file:/dev/urandom 512
18
19 ##
20 ## SSL Global Context
21 ##
22 ## All SSL configuration in this context applies both to
23 ## the main server and all SSL-enabled virtual hosts.
24 ##
25
26 #
27 # Some MIME-types for downloading Certificates and CRLs
28 #
29 AddType application/x-x509-ca-cert .crt
30 AddType application/x-pkcs7-crl .crl
31
32 # Pass Phrase Dialog:
33 # Configure the pass phrase gathering process.
34 # The filtering dialog program (`builtin' is a internal
35 # terminal dialog) has to provide the pass phrase on stdout.
36 SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
37
38 # Inter-Process Session Cache:
39 # Configure the SSL Session Cache: First the mechanism
40 # to use and second the expiring timeout (in seconds).
41 # (The mechanism dbm has known memory leaks and should not be used).
42 #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
43 SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
44 SSLSessionCacheTimeout 300
45
46 # Semaphore:
47 # Configure the path to the mutual exclusion semaphore the
48 # SSL engine uses internally for inter-process synchronization.
49 # (Disabled by default, the global Mutex directive consolidates by default
50 # this)
51 #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
52
53
54 # SSL Cipher Suite:
55 # List the ciphers that the client is permitted to negotiate. See the
56 # ciphers(1) man page from the openssl package for list of all available
57 # options.
58 # Enable only secure ciphers:
59 SSLCipherSuite @STRENGTH:HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2:!SSLv3:!TLSv1:!MD5:!SHA
60
61 # SSL server cipher order preference:
62 # Use server priorities for cipher algorithm choice.
63 # Clients may prefer lower grade encryption. You should enable this
64 # option if you want to enforce stronger encryption, and can afford
65 # the CPU cost, and did not override SSLCipherSuite in a way that puts
66 # insecure ciphers first.
67 # Default: Off
68 SSLHonorCipherOrder on
69
70 # The protocols to enable.
71 # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
72 # SSL v2 is no longer supported
73 SSLProtocol TLSv1.2 +TLSv1.1 -SSLv2 -SSLv2 -TLSv1
74
75 # Allow insecure renegotiation with clients which do not yet support the
76 # secure renegotiation protocol. Default: Off
77 #SSLInsecureRenegotiation on
78
79 # Whether to forbid non-SNI clients to access name based virtual hosts.
80 # Default: Off
81 #SSLStrictSNIVHostCheck On
82
83 </IfModule>
84
85 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
- In the next step, test config, enable mod-ssl and restart the server.
1 root@mail /etc/apache2/mods-available # apache2ctl configtest
2 Syntax OK
3 root@mail /etc/apache2 # a2enmod ssl
4 Considering dependency setenvif for ssl:
5 Module setenvif already enabled
6 Considering dependency mime for ssl:
7 Module mime already enabled
8 Considering dependency socache_shmcb for ssl:
9 Enabling module socache_shmcb.
10 Enabling module ssl.
11 See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
12 To activate the new configuration, you need to run:
13 service apache2 restart
Test it
After these steps a vHost listening on Port 443 should be established, to test the configuration please see #Crypto-vHost.
Here are some utilities to test the Webserver:
Qualys Test: https://www.ssllabs.com/ssltest/
- I landed on Grade "A-" besides the untrusted (self-signed) certificate. More on hardening the crypto later. Minimum requirement should be somewhat above Grade "B", like google provides (for compatibilty reasons) does.
mod_status
Apache-Dokumantation: http://httpd.apache.org/docs/2.4/mod/mod_status.html
With all requests on port 80 being redirected to 443 a little tweak to the way the apache2-status is fetched is nessesary: There are several possibilities:
- The usage of mod_rewrite in the port 80 vhost circumvents this problems, but may offer slightly less performance.
The redirected vhost must (like below) be part of the whitelist-list of mod_status -> allow-from. Once we've got here a valid certificate installed, the traffic is even encrypted.
A RedirectMatch can be placed to push any URI up to https like documented in #Redirection to https.
If we like we can change the APACHE_STATUSURL in /etc/apache2/envvars to the encrypted path. The Host must be replaced with the FQDN (the !commonNameinthe subject) since the certificate is not valid for "localhost". APACHE_STATUSURL="https://mail.rockstable.org/server-status"
1 <IfModule mod_status.c>
2 # Allow server status reports generated by mod_status,
3 # with the URL of http://servername/server-status
4 # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
5
6 <Location /server-status>
7 SetHandler server-status
8 Require local
9 #Require ip 192.0.2.0/24
10 ### Don't use the old stuff anymore
11 #order deny,allow
12 #deny from all
13 #allow from localhost
14 #allow from mail.rockstable.org
15 </Location>
16
17 # Keep track of extended status information for each request
18 ExtendedStatus On
19
20 # Determine if mod_status displays the first 63 characters of a request or
21 # the last 63, assuming the request itself is greater than 63 chars.
22 # Default: Off
23 #SeeRequestTail On
24
25
26 <IfModule mod_proxy.c>
27 # Show Proxy LoadBalancer status in mod_status
28 ProxyStatus On
29 </IfModule>
30
31
32 </IfModule>
33
34 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet