Apache 2.4 Security settings (migration from 2.2)

migrate apache

I migrated Apache from ver.2.2 to 2.4.
This article is my memorandum which describes procedure at this time.
I think it may be used as a security (ssl/tls) setting example.

Apache Migration

In measures to Logjam Attack, I found the problem that DH parameter of Apache 2.2 is 1024-bit fixed. ( 2048 or more bits are recommended as Logjam Attack measures )

I didn't take a time for a while, I finally migrated to 2.4 the other day.

The following is this migration steps.

I also migrated Java and Tomcat, it also include these migration steps.

System Environment

I installed packages using "yum". I didn't build from source. ( because of the management cost increases )

OS Amazon Linux (64bit)

Before

Apache 2.2.29-1.5.amzn1
Tomcat 7.0.62-1.10.amzn1
Java 1.7.0.85-2.6.1.3.61.amzn1

After

Apache 2.4.12-1.60.amzn1
Tomcat 8.0.23-1.54.amzn1
Java 1.8.0.51-1.b16.6.amzn1

Preparation

Backup

Befor installation, Backup necessary data.

For my migration target is running on AWS (EC2), I created the AMI from running instance.

The following has been working in this backed-up instance.

Stop services

Stop apache ( and tomcat ) service.

$ sudo /etc/rc.d/init.d/httpd stop
$ sudo /etc/rc.d/init.d/tomcat7 stop

Backup Application, and settings

Backup current application(data) and settings to appropriate directory.

Apache related

  • config files under the /etc/httpd/conf
  • config files under the /etc/httpd/conf.d

Tomcat related

  • application files under the /usr/share/tomcat7/webapps
  • config files under the /usr/share/tomcat7/conf

Upgrade packages

Upgrade Java

Install Java1.8

If you delete Java1.7 first, this may cause the dependency problem. so Install java 1.8 first.

$ sudo yum install java-1.8.0-openjdk

Uninstall Java1.7

Uninstall old version. ( as needed )

$ sudo yum erase java-1.7.0-openjdk

Upgrade Tomcat

Install Tomcat8

Install Tomcat8.

$ sudo yum install tomcat8

Related packages will be also installed.

  • tomcat8-lib
  • tomcat8-servlet-3.1-api
  • tomcat8-jsp-2.3-api
  • tomcat8-el-3.0-api

Uninstall Tomcat7

Uninstall the following packages ( using "yum erase" )

  • tomcat7
  • tomcat7-lib
  • tomcat7-servlet-3.0-api
  • tomcat7-jsp-2.2-api
  • tomcat7-el-2.2-api

Upgrade Apache

Uninstall Apache2.2

At first, uninstall 2.2 ( If you install 2.4 first, conflict occurs ).
Uninstall the following packages.

  • httpd
  • httpd-tools

Install Apache2.4

Install the following package ( httpd24-tools will also be installed )。

  • httpd24

Install Apache2.4 modules

I also installed the following packages ( mod_ssl and mos_security ).

*We are using the following packages. change as appropriate for your environment.

*For mod_security, I also wrote an article WAF(Web Application Firewall)でWebサイトを脆弱性から守る.

  • mod24_ssl
  • mod24_security
  • mod_security_crs
  • mod_security_crs-extras

Apache2.4 Settings

Edit Apache2.4 settings.
In 2.4 and 2.2 has the following differences.

  • LoadModule settings are moved to "conf.modules.d/*.conf"
    In 2.2, LoadModule settings are written in "httpd.conf"
  • mod_autoindex related directives ( AddIconByType, AddIcon, ... ) are moved to "conf.d/autoindex.conf"
    I commented out in 2.2. In 2.4, can disable these directives by deleting or renaming autoindex.conf.
  • conf.d/userdir.conf is added
    userdir.conf is added under the conf.d directory. In many cases, mod_userdir to disable. you can disable it the same way as mod_autoindex ( delete | rename userdir.conf ).

Edit settings in consideration of these differences.

httpd.conf settings

Edit httpd.conf ( /etc/httpd/conf/httpd.conf ).
Set the following items ( excerpt )

ServerTokens Prod                  # The same as 2.2
ServerAdmin aaa@agilegroup.co.jp   # <= Email address of administrator
ServerName www.agilegroup.co.jp:80 # Server name
<Directory "/var/www/html">
    #Options Indexes FollowSymLinks
    Options FollowSymLinks    # <= Delete Indexes. ( disable directory listing )
    ...
</Directory>

*Default value of "ServerSignature" is "off" in 2.4

DOS Attack (slowloris) measure

reqtimeout_module is added in Apache 2.2.15 and later. you can measures for slowloris (DOS Attack).
Please set if necessary.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

The above is default setting
If header/body sending doesn't complete in 20 sec, Error occurs.
While 500 bytes/sec or more data is being sent, extend to a max timeout.

Module settings

In 2.4 settings are placed under the /etc/httpd/conf.modules.d/ directory.
divided into the following files.

FinenameComment
00-base.confBasic modules
00-dav.confWebDAV related
00-lua.confmod_lua
00-mpm.confMPM related
prefork, worker, event can be selected.
00-optional.confI think these are less likely to be used generally.
00-proxy.confProsy related
01-cgi.confCGI related
00-ssl.confWhen install mod_ssl
10-mod_security.confWhen install mod_security

00-base.conf

Edit "00-base.conf".

※Below is the sample which is focused almost minimal modules. Please change properly for your environment.


LoadModule access_compat_module modules/mod_access_compat.so
#LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
#LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule data_module modules/mod_data.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
#LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
#LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule request_module modules/mod_request.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule suexec_module modules/mod_suexec.so
# This module will cause Apache to fail to load if there is no DNS
# LoadModule unique_id_module modules/mod_unique_id.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so

00-dav.conf

If you don't use WebDAV, comment out all

00-lua.conf

If you don't use mod_lua, comment out all

00-mpm.conf

Please enable MPM module (prefork | worker | event)you want to use.

*In my environment, prefork is default.

00-optional.conf

By default, all settins are commented out. If you have module(s) you want to use, please edit.

00-proxy.conf

If you don't use proxy, comment out all.
I use both of Apache and Tomcat (cooperation), so I enable the followings.

  • mod_proxy
  • mod_proxy_ajp

00-ssl.conf

If you want to use ssl/tls, enable this

01-cgi.conf

If you don't use CGI, comment out all.

10-mod_security.conf

If you want to use mod_seciruty (WAF), enable and edit

Settings under the conf.d directory

Under the "conf.d" directory, the following files will be installed.

FilenameComment
autoindex.confmod_autoindex related. If you want to disable directory listing, delete or rename this file.
notrace.conf"TraceEnable off" setting is described.
You should leave this valid, because of this setting is for cross-site-tracing measures.
userdir.confmod_userdir relate. If you don't use, delete or rename this file.
welcome.conffor Apache (default) Welcome page.
Delete or rename.
mod_security.confmod_security related
ssl.confssl/tls related

mod_security.conf

Settings of mod_security is not changed from Apache 2.2.
It's Ok to restore your backed-up conf file.
If LoadModule directive is described in mod_security.conf, remove or comment out this line. ( LoadModule directive is described in conf.modules.d/10-mod_security.conf )

Refer to : WAF(Web Application Firewall)でWebサイトを脆弱性から守る

ssl.conf

Below is the sample ( excerpt )

Basis
SSLProtocol all -SSLv2 -SSLv3   # Disable SSLv2 and SSLv3 ( Append "-SSLv3" )
# SSLCipherSuite setting is the sample
SSLCipherSuite SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:AES256-SHA
SSLHonorCipherOrder     on      # Server's cipher preference order

# cert. related file settings - the same value as in apache 2.2
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCACertificateFile ...

# HTTP Strict Transport Security ( HSTS ) setting
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

I wrote the related article for SSL/TLS settings. Webサーバの SSL/TLS 設定 (2015/5)


OCSP Stapling

In Apache 2.3.3 and later, can use OCSP Stapling function, so enable this

Refer to : Apache - Enable OCSP Stapling

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

If you want to verify OCSP Stapling is enable or not, invoke the following command ( change the hostname properly )

$ openssl s_client -connect localhost:443 -tls1 -status | head
...
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
...

If OCSP Stapling is disable,

OCSP response:  no response sent

DH Parameter

In Apache 2.4.8 and later, I thought I can set the following DH parameter ( for Logjam Attack measures ),

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

But, this requires openssl 1.0.2 and later, so I couldn't set this now.

*At the time of writing openssl version is 1.0.1k-10.87


Public Key Pinning

I tried to enable Public Key Pinning, I gave up this time.
Because of,

  • Must specify 2nd pin for backup.
  • If I do this without confirming the procedure/system, there is a high possibility that problems in production.

Refer to : Public Key Pinning


Another settings

Restore the settings other than the above. ( for example, your web application settings, etc. )

Verify

If you finish, check apache conf.

$ sudo httpd -t
Syntax OK

Tomcat8 settings

Edit config files

Edit if necessary.

tomcat8.conf

Edit /usr/share/tomcat8/conf/tomcat8.conf ( excerpt )

*JAVA_OPTS is the sample for Magnolia CMS

JAVA_OPTS="-server -Dfile.encoding=UTF-8 -Xmx512m -Xminf0.1 -Xmaxf0.3 -Djava.library.path=/usr/lib"

LANG="ja_JP.UTF-8"

* MaxPermSize option is removed in Java8

logging.properties

Edit /usr/share/tomcat8/conf/logging.properties ( excerpt )
Usually ConsoleHandler is not necessary in production environment, so delete it.

#.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler

Edit conf other than the above, if necessary.

Deploy application

Deploy backed-up application.
Copy backed-up application ( directory or war file ) to under the /usr/share/tomcat8/webapps directory.

After the copy, change the permission to "tomcat:tomcat".
( the following is the case of webapps/ROOT )

$ sudo chown tomcat:tomcat /usr/share/tomcat8/webapps/ROOT -R

Start services

If you finish all of the above settings, start services.
change auto start settings if necessary.

Tomcat8

$ sudo /etc/rc.d/init.d/tomcat8 start

Apache2.4

$ sudo /etc/rc.d/init.d/httpd start

Verify

Once you start services, let's check the operation.

Check application

At first , let's make sure Web sites, Web applications are running properly .

Check SSL/TSL

Next, check whether SSL/TLS settings have been adapted correctly.
you can check using the following website.

I could verify our website's "OCSP stapling".

I also verified "Logjam Attack measures" again.
you can check using the following.

In pre-migration environment, it had become "Warning" because of DHE was "Common 1024-bit Prime", but after migration, this Warning display has disappeared.

Summary

We were able to safely upgrade in the above procedure.
After the operation check I reassigned the Elastic IP, server migration was completed.

I think that it has become more secure by migrating from 2.2 to 2.4