With CVE-2014-8730 the POODLE attack is back. However with the right config it is not an issue. https://mariobrandt.de/archives/apache/current-2013-bullet-proof-ssl-config-779/ is still the right config for this :) Make sure that your server is bullet proof, too.
Posts Tagged apache
Well I really like mod_fcgid with PHP on my Apaches on Windows. But since every time a PHP process get it’s signal to die, mod_fcgid creates on windows an entry in the error log cause the graceful stop always fails.
There in a patch for that! I made a bug report (54597), but it didn’t go in the code yet. If you wanna patch it yourself, here it is.
--- modules/fcgid/fcgid_pm_main.c (revision 1448988)
+++ modules/fcgid/fcgid_pm_main.c (working copy)
@@ -333,10 +333,17 @@
current_node->proc_pool);
}
else {
+#ifndef WIN32
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, main_server,
"mod_fcgid: process %" APR_PID_T_FMT
" graceful kill fail, sending SIGKILL",
current_node->proc_id.pid);
+#else
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
+ "mod_fcgid: process %" APR_PID_T_FMT
+ " graceful kill fail, sending SIGKILL",
+ current_node->proc_id.pid);
+#endif
proc_kill_force(current_node, main_server);
}
}
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
How to achieve apache with a bullet proof SSL config and HTTP Strict Transport Security (HSTS) with long duration
Here is goes
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains" </IfModule> SSLUseStapling on SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000) SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000) SSLOptions +StrictRequire +StdEnvVars -ExportCertData SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCompression Off SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
This gives a A+ at Qualys SSL Labs SSL Test.
Now in December 2013 the best available SSL config with a 4096 bit RSA Key and httpd Apache 2.4.7 with OpenSSL/1.0.1e.
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000) SSLOptions +StrictRequire +StdEnvVars -ExportCertData SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCompression Off SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
YES Windows XP is no longer supported with this. But for me there is no more need to do so.
The SSL Test Lap Test shows a very good result. The Cipher Strength is at 100%. So any browser will use a 256 bit encrypted connection to that server.
On Windows it seems not to be that easy figure out if some process is listening on port 80 or 443.
A simple command line command can show the pid of the process that is listening.
netstat -ano | findstr /R 0.0:80 && netstat -ano | findstr /R 0.0:443
Easy ;)
SSL Tests like https://www.ssllabs.com/ssltest/index.html show a vulnerability against CRIME Attack. To overcome / defend that with apache you can turn off the SSL compression.
SSLCompression off
That makes it easy to defend it.
wget http://httpd.apache.org/dev/dist/httpd-2.4.2.tar.gz wget http://httpd.apache.org/dev/dist/httpd-2.4.2-deps.tar.gz tar xvfz httpd-2.4.2.tar.gz tar xvfz httpd-2.4.2-deps.tar.gz cd httpd-2.4.2/srclib wget http://mirror.netcologne.de/apache.org//apr/apr-iconv-1.2.1.tar.gz tar xvfz apr-iconv-1.2.1.tar.gz mv apr-iconv-1.2.1 apr-iconv wget http://zlib.net/zlib-1.2.6.tar.gz tar xvfz zlib-1.2.7.tar.gz mv zlib-1.2.7 zlib wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.21.tar.gz tar xvfz pcre-8.21.tar.gz mv pcre-8.21 pcre wget http://www.openssl.org/source/http://openssl.org/source/openssl-1.0.1.tar.gz tar xfz openssl-1.0.1.tar.gz cd openssl-* ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared make make test sudo make install cd ../.. ./buildconf ./configure --prefix=/opt/apache2 --enable-pie --enable-mods-shared=all --enable-so --disable-include --enable-deflate --enable-headers --enable-expires --enable-ssl=shared --enable-mpms-shared=all --with-mpm=event --enable-rewrite --with-z=/home/mario/apache24/httpd-2.4.2/srclib/zlib --enable-module=ssl --enable-fcgid --with-included-apr make sudo make install cd .. wget http://www.trieuvan.com/apache//httpd/mod_fcgid/mod_fcgid-2.3.7.tar.gz tar xvfz mod_fcgid-2.3.7.tar.gz cd mod_fcgid-* APXS=/opt/apache2/bin/apxs ./configure.apxs make sudo make install
For using PHP install php-cgi
add httpd.conf
FcgidMaxProcesses 50 FcgidFixPathinfo 1 FcgidProcessLifeTime 0 FcgidTimeScore 3 FcgidZombieScanInterval 20 FcgidMaxRequestsPerProcess 0 FcgidMaxRequestLen 33554432 FcgidIOTimeout 120
in each vhost
Options Indexes ExecCGI AddHandler fcgid-script .php FCGIWrapper /usr/lib/cgi-bin/php5 .php
With httpd Apache 2.4.x is is more simple to do stuff than with 2.2.x
Like forcing the www. in front of a domain. Apache now supports the If Elseif Else :-) Pretty nice!
Light example
<If "$req{Host} != 'www.example.com'">
RedirectMatch (.*) http://www.example.com$1
</If>
Easy, isn’t it?
A bit more old fashion way, so you can use the %{bla} stuff you already know.
<If "%{HTTP_HOST} == 'example.com'">
Redirect permanent / http://www.example.com
</If>
Also nice is the Define Directive.
OK you have to start apache with the -D parameter. Like httpd -D TEST
<IfDefine TEST> Define servername test.example.com </IfDefine> <IfDefine !TEST> Define servername www.example.com Define SSL </IfDefine>
If you have some example, please let me know!
The Problem on the long term ubuntu 8.04 and the current stable debian is that they ship the old OpenSSL 0.9.8o With that I wasn’t able to compile the new apache 2.4.1 with all the SSL features I want. Downloading the OpenSSL source and just configure make make install didn’t help at all.
checking whether to enable mod_ssl... checking dependencies checking for OpenSSL... checking for user-provided OpenSSL base directory... none checking for OpenSSL version >= 0.9.7... FAILED configure: WARNING: OpenSSL version is too old no checking whether to enable mod_ssl... configure: error: mod_ssl has been requested but can not be built due to prerequisite failures mario@h2020668:~/apache24/httpd-2.4.1$ openssl version OpenSSL 0.9.8o 01 Jun 2010
The only thing that helped was to use the unix config script plus the right prefix plus the shared option
wget http://openssl.org/source/openssl-1.0.1.tar.gz tar xfz openssl-1.0.1.tar.gz cd openssl-* ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared make sudo make install
Debian is very fine, but sometimes it sucks because of the lag of new software versions
Since the API in Apache 2.4.x has changed the mod_dav_svn module from svn doesn’t build currently. I made patch for that. There is only a small issue in subversion/mod_dav_svn/util.c
Index: util.c
===================================================================
--- util.c (revision 1299310)
+++ util.c (working copy)
@@ -627,8 +627,14 @@
if (errscan->desc == NULL)
continue;
- if (errscan->save_errno != 0) {
+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)
+ if (errscan->aprerr != 0) {
+ errno = errscan->aprerr;
+#else
+ if (errscan->save_errno != 0) {
errno = errscan->save_errno;
+#endif
+
ap_log_rerror(APLOG_MARK, level, errno, r, "%s [%d, #%d]",
errscan->desc, errscan->status, errscan->error_id);
}
Now it compiles against Apache 2.2 and Apache 2.4
Any feedback is welcome.
Archives by Subject:
- Categories
Archives by Month:
- January 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- February 2018
- November 2017
- June 2017
- April 2017
- February 2017
- January 2017
- November 2016
- September 2016
- May 2016
- February 2016
- September 2015
- August 2015
- July 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- July 2014
- June 2014
- April 2014
- January 2014
- December 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- August 2012
- July 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009