Securing Apache - Debian/Ubuntu

Step 2b - Enable/Configure Apache HTTP & HTTPS for Websites

Enabling & Configuring Apache HTTP & HTTPS for Websites

There are a number of considerations you have in the https configuration file. A great guide for options and other considerations.
Let us create a place to securely hold the Public/Private Keys and Certificates

Change to the Apache Directory

cd /etc/apache2

Create the SSL Directory

mkdir ssl

Change the permissions on the SSL Directory

chmod 644 ssl/

Change to te SSL Directory

cd ssl/

Check what Algorithms are available to work with OpenSSL

List all of the available Algorithms in OpenSSL

 openssl list -public-key-algorithms

List only the available EC Curves in OpenSSL

openssl ecparam -list_curves

Generating Diffie-Hellman (DH) and Elliptical Curve Parameters

With Perfect Forward Secrecy (PFS), if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Generate the DH Params file (Mandatory Step - Takes a long time to generate)

We here at Zombie suggest 4096 bit (2048 bit is the minimum) but we use 8192 bit which takes a significant amount of time to create. Unless you really need 8192, use 4096 bit.

openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory Step)

chmod 640 *.pem

Generate the EC Params file (Recommended - EC generation is quick)

You can generate a file for each curve if you like or just the ones that are being used

openssl ecparam -name secp521r1 -out secp521r1.pem
openssl ecparam -name secp384r1 -out secp384r1.pem

Check the EC Param file

openssl ecparam -in secp384r1.pem -check

Creating a private key w/ the EC Parameters file

openssl ecparam -in secp384r1.pem -genkey -noout -out secp384r1.key

Creating a private key w/o the EC Parameters file

openssl ecparam -name secp384r1 -noout -out secp384r1.key -genkey

Set permissions of the EC Pem file

chmod 640 *.pem

To print out the EC Parameters to standard output

openssl ecparam -in secp384r1.pem -noout -text

Creating a private key with the X25519 Algorithm

 openssl genpkey -algorithm X25519 -out X25519.key 

Creating a private key with the X448 Algorithm

 openssl genpkey -algorithm X448 -out X448.key

Set the permissions on the key files

chmod 640 *.key

Create our website directory under the SSL directory

mkdir zombiesecured

Change the permissions on website directory

chmod 644 zombiesecured/

Change to the website directory

cd zombiesecured/

UPDATING on 2/23/20

Change permissions on the Keys

chmod 640 ssl/*.key

Change permissions on the Certificates

chmod 644 ssl/*.crt

Add the Params files to the SSL config - (Global use - Preferred Method)

Add the blue lines below

nano /etc/apache2/mods-available/ssl.conf

<IfModule mod_ssl.c>
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
        SSLOpenSSLConfCmd Options -SessionTicket        <--- We do not want clients connecting with older tickets, but instead initiate a full handshake
        SSLCompression off        <--- Prevents Crime Attack but it should be disabled in Apache2 with the latest version
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"        <--- Helps to speed the random generation, increase DH key strength and handshake process
        SSLOpenSSLConfCmd ECDHParameters secp384r1        <--- secp521r1:secp384r1....
        SSLOpenSSLConfCmd Curves secp521r1:x448:x25519:secp384r1        <--- These are the curves you are willing to accept in order of preference... add any other supported curves you desire
        #SSLFLIPS on         <--- use if required for FIPS 140-2 (Top Secret) - Do not forget the applicable policy
............................
</IfModule>

A copy & paste version is found below:


SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:x448:x22519:secp384r1:prime256v1:prime192v1
#SSLFLIPS on
     

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Apache Web site config file (Local use - Alternative)

Add the blue lines below     

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined        
        SSLOpenSSLConfCmd Options -SessionTicket
        SSLCompression off
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
        SSLOpenSSLConfCmd ECDHParameters secp384r1
        SSLOpenSSLConfCmd Curves secp521r1:x448:x25519:secp384r1
        #SSLFLIPS on
........................
    </VirtualHost>
</IfModule>

A copy & paste version is found below:


SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:x448:x22519:secp384r1:prime256v1:prime192v1
#SSLFLIPS on

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)