Protection options for HTTPS Apache servers

Dec 06, '04 09:32:00AM

Contributed by: MartySells

This tip describes how to configure an Apache 2.x SSL server in a manner that is unusually resilient to attack. It assumes that you already have a working SSL server, and know how to use the various Apache configuration contexts (server config, virtual host, directory, etc.). Note: I did not test the syntax of the commands in this tip explicitly on a test server. There may be mistakes, but getting it to work should be fairly straightforward.

First, some best-practices for your server configuration:

  ServerTokens Prod
  ServerSignature Off
Read the rest of the hint for the interesting part.

Reading the documentation for mod_ssl will help understand what's going on. Looking at the SSLCipherSuite directive, it tells us that the Apache default ciphers' list is:

  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
So the first thing we do is disable ciphers at the server context with:
  SSLCipherSuite -ALL
This, of course, makes the server refuse to talk to anything! Very secure, but probably not what you want. Reading the docs for SSLCipherSuite more carefully, we see:
Notice that this directive can be used both in per-server and per-directory context. In per-server context, it applies to the standard SSL handshake when a connection is established. In per-directory context, it forces a SSL renegotation with the reconfigured Cipher Suite after the HTTP request was read, but before the HTTP response is sent.
So now we go in and enable a select set of ciphers for a particular area with say:
<Directory "/disc2/htdocs/mysecretplace/">
  SSLCipherSuite HIGH
  SSLRequireSSL
</Directory>
Then restart Apache and test your configuration with openssl s_client:
  echo -e 'GET / HTTP/1.0nn' | openssl s_client -state –connect server:443
  echo -e 'GET /mysecretplace/ HTTP/1.0nn' | openssl s_client -state –connect server:443
The first request should fail with a nasty looking SSL error. If you read the output, you'll see that the server is requesting a "change cipher spec� and then failing. The second request should work OK. How is this better than configuring my server to use user credentials through AuthType Basic and require valid-user? What other cool tricks are possible? [robg adds: This hint assumes a relatively high level of Apache configuration experience. A recent hint explained how to get HTTPS working with OS X's webserver, which is necessary before using any of this hint, obviously.]

Comments (2)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20041203233819802