APACHE configuration

“From an e-commerce point of view, figuring how we’ll ensure our TLS (Transport Layer Security) configuration is locked-up tight.

Configuring your Apache Web Server can be rather involved because there are so many areas that touch the overall process, like which components of the server you are trying to configure and what you are trying to achieve from both performance and security protocols.  So I’ll jump right into configuration from an e-commerce point of view, figuring how we’ll ensure our TLS (Transport Layer Security) or as it’s predecessor was called SSL (Secure Sockets Layer) configuration is locked-up tight.  Forgive me if I refer to SSL from here on out as old habits are hard to break.

Let’s assume that you’ve already uncommented the line referring to “Secure (SSL /TLS) connections” as highlighted here #Include conf/extra/httpd-ssl.conf.  Now here’s where things get a little easier for us as we can now turn to qualified resources for help in both the configuration and analysis of our TLS/SSL set-up.

First of all, let’s head over to  the Mozilla SSL Configuration Generator and plugin a few pieces of important information like Server Version, OpenSSL Version and HSTS Enabled.  You’ll want to make sure that you’ve entered your information in the appropriate fields e.g. Server Version 2.4.17 and that you have checked HSTS as “Enabled”.  One more thing, you’ll also notice three radio button options for “Modern, Intermediate and Old”.  They refer to  compatible clients profiles so unless you have a compelling reason to potentially alienate your audience with either too “Modern” or too “Old” profile, stick with “Intermediate” as it’s your best bet for capturing the widest range of compatible client profiles, in other words your audience.  For more information on “Recommended configurations” click here.  So now you should see a read out of your ideal configuration like below:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key
    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication
    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Make note of the path references and adjust accordingly.  Once you’ve made the necessary path changes copy your newly created set-up, open your httpd-ssl.conf file and paste it below the commented lines below:

##
## SSL Virtual Host Context
##

Save and restart Apache, if everything was done correctly it should restart and you can then test your new configuration.  Now let’s visit Qualys SSL Labs, a free online service that performs deep analysis of SSL web server configurations.  Enter your secure web address (https://) and submit the site for analysis.

Qualys SSL Labs Report

“Even if you aren’t an SSL expert this setup and testing plan is straightforward allowing you to assess your TLS/SSL server configuration with confidence.”

If all went smoothly you would see a nice big “A+” overall rating, congratulations!

If not, check your path references and client profile set-up, it’s probably something simple.

Visit their documentation page for more information, configuration guides, books. and known issues.  You can also get a copy of their SSL Server Rating Guide.

BTW, if you’re interested check out Comodo SSL Analyzer, it’s free of charge and provides essential knowledge regarding the security level of the SSL Certificate and web server software.

Even if you aren’t an SSL expert this setup and testing plan is straightforward allowing you to assess your TLS/SSL server configuration with confidence.

moorescode