Apache Security Configuration
Security
Some N2CUG components - specifically the GUI and API - run as HTTP web applications through the Apache 2 webserver, and Apache should be configured to provide a strong security layer for this usage.
N-Squared recommends applying the following configuration changes to any default Apache 2 installation. These changes are selected to enhance the security layer provided for N2CUG.
Please refer to the relevant Apache documentation for further details on these recommendations.
Note that in all cases Apache will have to be restarted once the appropriate change(s) have been made:
apachectl restart
Version Selection
It is strongly recommended that the latest available version of Apache is used for any web server installation. The minimum version installed should always be the latest version available for your OS installation. It is also strongly recommended that your OS version is actively supported with security updates.
TLS/SSL
It is strongly recommended that if N2CUG is accessed through a publicly accessible web address, it is accessed over HTTPS only. It is also recommended that HTTPS should be used even for internal access.
TLS/SSL Protocols
Insecure TLS/SSL protocols should be disabled. This is done by setting SSLProtocol
and SSLCipherSuite
in the Apache
configuration to a more restricted option set:
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
In this configuration, SSLv2
, SSLv3
, and TLS 1.0
are disabled and only TLS 1.2
is enabled in the SSLProtocol
parameter, and support for RC4
ciphers is disabled in the SSLCipherSuite
parameter.
TLS/SSL Test
If N2CUG is available over the publicly accessible internet, it is recommended to test the TLS/SSL configuration.
HTTP Methods
HTTP TRACE
Some security audits recommend that the HTTP TRACE
method be disabled to
reduce available attack vectors. If so required, this can implemented by
using the Apache TraceEnable
parameter:
TraceEnable off
Note that the official Apache documentation recommends
against setting TraceEnable
to this value:
Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache
httpd
. TheTRACE
method is defined by the HTTP/1.1 specification and implementations are expected to support it.
ETag Generation
It is recommended to disable inode-based ETag generation
in Apache by setting FileETag
to use more general information:
FileETag MTime Size
Apache versions after v2.3.14
already default to the above secure configuration.
Suppress Server Information
Some security audits recommend the suppression of server information to clients. If so required, the following configuration removes Apache version information from responses:
ServerSignature Off
ServerTokens Prod
The default value for ServerSignature
is already Off
in all versions of Apache.
Note that the official Apache documentation recommends
against altering ServerTokens
in this way:
Setting ServerTokens to less than
minimal
is not recommended because it makes it more difficult to debug interoperational problems… The idea of “security through obscurity” is a myth and leads to a false sense of safety.
Suppress Default Page
If no more specific location is given (and no default redirection is performed as part of post-installation configuration of N2CUG components), Apache will serve a default page, which is undesirable.
To suppress this page, execute:
> /var/www/html/index.html
Note that this is only applied as a fallback measure; the post-installation configuration instructions for N2CUG components that use Apache include instructions for redirecting other traffic to the appropriate service.
Also note that on some Ubuntu systems, this file may be recreated after Apache package upgrades.
Set Headers
Some additional headers should be explicitly set for various reasons:
- To force clients (especially MSIE) to follow MIME content type by setting
X-Content-Type-Options
. - To ask clients to allow N2CUG to be embedded in an inline frame by setting
X-Frame-Options
. - To enforce HTTPS access to Apache by setting use
Strict-Transport-Security
.
<Location />
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set Strict-Transport-Security: max-age=15768000;
</Location>
WebDAV
WebDAV should be disabled by removing its modules in Apache. The process to do this depends on your Linux OS type.
RPM-Based Systems
These modules are loaded by default in the Apache configuration and should be commented out:
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_fs_module modules/mod_dav_lock.so
DEB-Based Systems
Ensure that the following files are not present or linked in the mods-enabled
Apache folder:
dav_fs.conf
dav.load
dav_fs.load
dav_lock
Set Server Name
To help avoid DNS rebind attacks, enforce access to N2CUG over
the correct hostname(s). This can be achieved by moving the N2CUG and Jarvis configuration to within appropriate
VirtualHost
directives, with ServerName
and ServerAlias
set to the appropriate host names, i.e.:
<VirtualHost *:443>
ServerName your.host.com
ServerAlias your.host2.com your.host3.com
<!-- Existing N2CUG configuration goes here. -->
</VirtualHost>