Apache mod ssl configuration

From wiki.techunit.org
Jump to: navigation, search

Introduction

How to obtain an A+ in the Qualys SSL Labs security test

See Also

Migration to Apache2

Configure Varnish with Apache to provide HTTPS

HTTPS Definition from www.pcmag.com

HTTPS (HyperText Transport Protocol Secure) The protocol used to access a secure Web server. When https:// is used as the prefix of a Web address rather than the common http://, the session is managed by a security protocol, which is typically SSL, and the transmission is encrypted to and from the Web server. Increasingly, non-financial Web sites use HTTPS; for example, in 2015, Wikipedia switched to HTTPS. For details about the HTTP protocol, see HTTP. To learn about the security protocol, see SSL and security protocol. See HSTS and HTTPS Everywhere.

Issue

As HTTPS has become the standard protocol for Web applications, we need a minimum of knowledge about it and how to implement it on your website.

Useful tools

How to configure SSL module on Apache Web server

I made a little researches about best practices configuring SSL Apache's module. Here are some steps to obtain the best results for your website reputation, and to avoid your application hacking.

Enable mod ssl

a2enmod ssl
service apache2 restart

How to create SSL certificates

Configure HTTPS virtualhost

  • Edit and adapt your virtualhost
<IfModule mod_ssl.c>
<VirtualHost 196.154.168.73:443>
ServerName www.example.com
DocumentRoot /var/www/www.example.com
SSLEngine On
SSLCertificateFile /path/to/your/www.example.com.crt.pem
SSLCertificateKeyFile /path/to/your/www.example.com.key.pem
</VirtualHost>
</IfModule>

Optimize ssl module

  • Edit /etc/apache2/mods-enabled/ssl.conf
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

SSLHonorCipherOrder on
SSLStrictSNIVHostCheck Off
SSLCompression off

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

vhost additional settings

  • Add this block /etc/apache2/sites-available/www.example.com
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

<IfModule mod_headers.c>
### headers_module must be enabled for these extra security settings
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set X-Frame-Options SAMEORIGIN
</IfModule>

Sources

Useful Links

Elliot
techUnit's cofounder