Apache HTTP Server

From Indie IT Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

HOWTO: Secure Apache SSL

https://techbrij.com/free-ssl-lets-encrypt-apache-ubuntu

sudo nano /etc/apache2/mods-available/ssl.conf

SSLProtocol all -SSLv2 -SSLv3 -TLSV1
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

sudo service apache2 restart

https://www.ssllabs.com/ssltest

https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm#apache_forward_secrecy

HOWTO: Fix Error In Apache 2.4.3+ "Client Denied By Server Configuration"

Make sure you have this new Apache 2.4.3+ directive in your Virtual Host config:-

require all granted

Thanks - http://stackoverflow.com/questions/10351167/apache-client-denied-by-server-configuration

HOWTO: Upgrade To Apache 2.4 On Ubuntu 12.04 LTS

sudo aptitude remove ~iapache
sudo apt-add-repository ppa:ondrej/apache2
sudo aptitude update
sudo aptitude install apache2
sudo aptitude install libapache2-mod-php5

HOWTO: Test POST Requests

curl -X POST http://www.website.co.uk/PAULLY.php

HOWTO: Stop POST Requests

<VirtualHost *:80>
 ...
 <Directory /var/www/site/unsafe>
   AllowOverride ALL
 </Directory>
</VirtualHost>
sudo a2enmod rewrite

Add the following to a file called .htaccess in the web site root directory. This example shows a Contact Us PHP page which IS allowed to POST...

# deny all POST requests
<IfModule mod_rewrite.c>
  RewriteCond %{REQUEST_METHOD} POST
  RewriteRule .* - [F,L]
</IfModule>
<LimitExcept GET HEAD>
  Order Allow,Deny
  Deny from all
</LimitExcept>
#  allow the contact us page
<Files contact_submit.php>
  order allow,deny
  allow from all
</Files>

Restart Apache...

sudo service apache2 restart

HOWTO: Fix Error: The timeout specified has expired: SSL input filter read failed

If you see the following lines in your Apache logs...

The timeout specified has expired: SSL input filter read failed.

...then you need to do 2 things to fix it.

1. Change all your VirtualHost directives to a specific IP address instead of *:443...

<VirtualHost 192.168.1.252:443>

2. Add the following line to the end of your VirtualHost SSL port 443 directives blocks...

  SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>

Thanks - http://serverfault.com/questions/539961/apache-request-header-read-timeout-reverse-proxy

HOWTO: Convert Apache SSL Certificate to Windows IIS

Conversion

https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-an-apache-server-to-a-windows-server.html

Installation

https://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm

HOWTO: Fix POODLEbleed Bug

SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks - http://poodlebleed.com

HOWTO: Remove Unwanted Modules

List

sudo apache2ctl -M

Remove

sudo a2dismod

Test

sudo apache2ctl configtest

Restart

sudo service apache2 restart

HOWTO: Generate SSL Certificate

Log in to your web server via SSH, create an 'ssl' directory, and then run the following.

e.g.

su - root
cd
mkdir ssl
cd ssl
openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=GB/ST=Kent/L=Folkestone/O=The Company Name/OU=IT/CN=mydomain.co.uk"

Now copy the text of the mydomain.csr file and log in to your SSLs.com account, and following the prompts.

https://www.ssls.com

http://www.rosehosting.com/blog/set-up-ssl-encrypted-connection-in-postfix-dovecot-and-apache/ (Apache + Dovecot)

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1/19/csr-generation-using-openssl-apache-wmod_ssl-nginx-os-x

HOWTO: Install SSL Certificate

SSLEngine on
SSLCertificateFile /etc/letsencrypt/ssl/server.crt
SSLCertificateKeyFile /etc/letsencrypt/ssl/server.key

Note: If you are missing chain.pem, you can get it from second certificate of .crt file OR from below link:

https://letsencrypt.org/certificates/

For newer Apache version, SSLCertificateChainFile is no longer needed.

SSLCertificateChainFile /etc/letsencrypt/ssl/chain.pem
server.crt = domain certificate + Issuer certificate
chain.pem = Issuer certificate = Intermediate certificate = chain certificate
server.key = domain key file

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/66/

Comodo Positive SSL CA Bundle

New-PositiveSSL-bundle-12.ca-bundle

https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=120

HOWTO: Benchmark

ab -n 100 -c 10 http://your.domain.com/

HOWTO: Add The Missing HTPasswd Application

The application htpasswd is not installed by default. To add it, run this command...

sudo aptitude install apache2-utils

HOWTO: Stop Unwanted Unnecessary And Exploitable Cpanel Scripts

cd /usr/local/cpanel/cgi-sys/
chmod 0000 Formmail* formail* guestbook* Count*

http://douglas.wordpress.com/2008/04/06/disabling-unnecessary-and-exploitable-scripts/

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/CGICenter

HOWTO: Block w00tw00t Vulneribility Scanner

/sbin/iptables -I INPUT -d MY.IP.ADDRESS -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.' -j DROP

http://spamcleaner.org/en/misc/w00tw00t.html

HOWTO: Secure Tighten

  1. examine
  2. general
  3. mod_evasive
  4. mod_security
  5. testing

examine

NEW - Use Kali Linux USB Distro - NEW

Download the Nikto software from here...

http://cirt.net/nikto2

Unpack, and then update...

perl nikto.pl -update

Run your first test...

perl nikto.pl -h server.name

During a scan, you can press these keys...

SPACE - Report current scan status
v - Turn verbose mode on/off
d - Turn debug mode on/off
e - Turn error reporting on/off
p - Turn progress reporting on/off
r - Turn redirect display on/off
c - Turn cookie display on/off
o - Turn OK display on/off
a - Turn auth display on/off
q - Quit
N - Next host
P - Pause

How to fix common issues...

+ Server leaks inodes via ETags, header found with file /, inode: 1049636, size: 536, mtime: 0x4e6d13349dea4
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-562: /server-info: This gives a lot of Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.

And...

+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 21637505, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2013-10-20 23:44:09 (GMT0) (24 seconds)

Edit the Apache Server security file...

sudo nano /etc/apache2/conf.d/security

or

sudo nano /etc/httpd/conf/httpd.conf

or

sudo nano /etc/apache2/conf-enabled/security.conf

Add these lines at the bottom...

#     
# Paully's Security Tweaks
#     
Header unset ETag
FileETag None
Header always append X-Frame-Options SAMEORIGIN
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Enable mod_headers...

sudo a2enmod headers

Reload Apache...

sudo service apache2 reload
service httpd restart

Retest with Nikto...

nikto -host 192.168.0.2

http://www.reecefowell.com/2012/09/27/nikto-server-auditing-and-resolving-issues/

general

http://httpd.apache.org/docs/trunk/misc/security_tips.html

mod_evasive

http://systembash.com/content/how-to-stop-an-apache-ddos-attack-with-mod_evasive/

mod_security

http://www.root25.com/2012/11/how-to-install-modsecurity-on-apache-ubuntu12-stepbystep-tutorial.html

https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/

testing

In order to prove the setup is working, a test file called test.php with the following content can be used:

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:

http://yourserver.tld/test.php?secret_file=/etc/passwd

If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.

http://yourserver.tld/?abc=../../

Another test...

http://yourserver.tld/?id='23' or '1'='1'

HOWTO: Check The Server CN (CommonName) Of Your SSL Certificate

openssl x509 -in server.crt -noout -subject

HOWTO: Redirect Whole Web Site To Secure

Method 1

Using mod_rewrite

Edit your .htaccess file and add the following block of code...

# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on

# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

Method 2

Using virtual hosts (using redirect)

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
   # etc...
</VirtualHost>

https://wiki.apache.org/httpd/RedirectSSL

keywords: apache, rewrite, redirect http, https

HOWTO: Hide Files In A Directory Listing

Add the following line to your .htaccess file...

IndexIgnore filename.ext *.ico

Thanks to http://www.ducea.com/2006/06/08/apache-tips-tricks/

WebDAV

/etc/apache2/modules.d/45_mod_dav.conf

<IfDefine DAV>

<IfModule mod_dav.c>
   LimitXMLRequestBody 131072
   Alias /dav "/var/www/dav"
   <Directory /var/www/dav>
       Dav On
       Options +Indexes
       IndexOptions FancyIndexing
       AddDefaultCharset UTF-8
       AllowOverride None 
       Order allow,deny 
       Allow from all
       AuthType Basic
       AuthName "WebDAV"
       AuthUserFile /etc/apache2/dav.passwd
       Require valid-user
   </Directory>
</IfModule>

DavLockDB "/var/lib/dav/lockdb"

# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>

Create the password file and restart Apache...

htpasswd -c /etc/apache2/dav.passwd test
/etc/init.d/apache2 restart

To test, install the software cadaver

emerge net-misc/cadaver

Then...

server.domain.com ~ $ cadaver http://10.0.0.1/dav

Authentication required for WebDAV on server `10.0.0.1':
Username: test
Password: 
dav:/dav/> ls
Listing collection `/dav/': succeeded.
       fish.txt                               5  Jan 24 15:22
dav:/dav/> cat fish.txt 
Displaying `/dav/fish.txt':
fish
dav:/dav/> quit
Connection to `10.0.0.1' closed.

Glossary

http://httpd.apache.org/docs/2.2/glossary.html