Securing Apache - Fedora/CentOS/SUSE/RedHat
Step 3c - Enabling http1.1/H2 protocols - Mandatory Step!!!
HTTP/2 (H2) has many wonderful benefits compared to HTTP 1.0/1.1. H2 has by default Distributed Denial of Service (DDoS) protection, better overall security, options, and so forth. H2 allows us to use H2 with Application-Layer Protocol Negotiation (ALPN) which drops our latency to pretty much zero for requests. Mobile devices are also upping the ante for security by supporting H2. We should use it whenever possible and pretty much every modern browser supports it.
H2 Options explained more in depth
Enabling HTTP/2 on your server has impact on the resource consumption and if you have a busy site; you may need to carefully consider the implications. The first noticeable difference enabling HTTP/2 is the additional threads started on your server. The reason is HTTP/2 gives all requests their own Worker Threads for processing, collecting the results and streaming those results out to the client. People still think encryption kills performance! This is an older myth that needs to die a painful death! Straight HTTP is slower than HTTPS! Akamai test shows the speed difference between HTTP/1.1 and HTTP/2. Despite the warnings, we have not had problems or complaints with H2.
We are surprised at how many large sites do not have it deployed.
Test performed May 2020 - Image source keycdn.com
Make changes to the Apache Website config file by adding the sections in blue to the file
nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Protocol http/1.1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www_EXAMPLE_com.crt
..............................
</VirtualHost>
</IfModule>
Close and exit the file
ctrl + o (Save)ctrl + x (Exit)
Restart Apache
systemctl restart apache2
If you are going to use PHP
ProxyPassMatch directives are evaluated first, prior to the FilesMatch configuration being run. We are seeking to have granular control over our headers and behaviors of PHP. ProxyPass will forward the request and FileMatch will handle the request is the best way I can describe the difference!
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
Using ProxyPassMatch removes your ability to deny/allow access to PHP files. Not to mention you lose the ability to manipulate the server PHP requests. If you are passing PHP requests to an FPM daemon, you'd want to use FilesMatch + SetHandler instead of ProxyPassMatch.
<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
</FilesMatch>
Make changes for PHP to the Apache Website config file by adding the sections in blue to the file
nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Protocol http/1.1
<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
</FilesMatch>
SSLEngine on
..............................
</VirtualHost>
</IfModule>
Close and exit the file
ctrl + o (Save)ctrl + x (Exit)
Restart Apache
systemctl restart apache2