Securing Apache - Debian/Ubuntu

Step 2b - Enable/Configure Apache HTTP & HTTPS for Websites

Enabling & Configuring Apache HTTP & HTTPS for Websites

There are a number of considerations you have in the https configuration file. A great guide for options and other considerations.
Let us create a place to securely hold the Public/Private Keys and Certificates

Change to the Apache Directory

cd /etc/apache2

Create the SSL Directory

mkdir ssl

Change permissions on the SSL Directory

chmod 644 ssl/

Copy the Keys to the SSL directory

cp /etc/ssl/private/*.key /etc/apache2/ssl

Change permissions on the Keys

chmod 640 ssl/*.key

Copy the Certificates to the SSL directory

Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate

cp /etc/ssl/private/*.crt /etc/apache2/ssl

Change permissions on the Certificates

chmod 644 ssl/*.crt

Generating Diffie-Hellman (DH) and Elliptical Curve Parameters

With Perfect Forward Secrecy (PFS), if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Change to the Apache SSL directory

cd /etc/apache2/ssl

Generate the DH Params file (Mandatory Step - Takes a long time to generate)

openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory Step)

chmod 640 *.pem

Change to the OpenSSL directory

cd /etc/ssl/certs

Generate the EC Params file (Recommended -EC generation is quick)

You can generate a file for each curve if you like or just the ones that are being used

openssl ecparam -name prime256v1 -out prime256v1.pem

Check the EC Param file

openssl ecparam -in prime256v1.pem -check

Creating a private key w/ the EC Parameters file

openssl ecparam -in prime256v1.pem -genkey -noout -out prime256v1.key

Creating a private key w/o the EC Parameters file

openssl ecparam -name (prime192v1 or prime256v1 or secp384r1 or secp521r1) -noout -out ec.key -genkey

Set permissions of the EC Pem file

chmod 640 *.pem

To print out the EC Parameters to standard output

openssl ecparam -in prime256v1.pem -noout -text

List available EC Curves in OpenSSL

openssl ecparam -list_curves

Add the Params files to the SSL config - (Global use - Preferred Method)

Add the blue lines below

nano /etc/apache2/mods-available/ssl.conf

<IfModule mod_ssl.c>
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
        SSLOpenSSLConfCmd Options -SessionTicket        <--- We do not want clients connecting with older tickets, but instead initiate a full handshake
        SSLCompression off        <--- Prevents Crime Attack but it should be disabled in Apache2 with the latest version
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"        <--- Helps to speed the random generation, increase DH key strength and handshake process
        SSLOpenSSLConfCmd ECDHParameters secp384r1        <--- secp521r1:secp384r1:prime256v1....
        SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1        <--- These are the curves you are willing to accept in order of preference... add any other supported curves you desire
        #SSLFLIPS on         <--- use if required for FIPS 140-2 (Top Secret) - Do not forget the applicable policy
............................
</IfModule>

A copy & paste version is found below:


SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1
#SSLFLIPS on
     

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Apache Web site config file (Local use - Alternative)

Add the blue lines below     

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined        
        SSLOpenSSLConfCmd Options -SessionTicket
        SSLCompression off
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
        SSLOpenSSLConfCmd ECDHParameters secp384r1
        SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1
        #SSLFLIPS on
........................
    </VirtualHost>
</IfModule>

A copy & paste version is found below:


SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1
#SSLFLIPS on

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)