Apache Security Configuration

Security

Some N2CUG components - specifically the GUI and API - run as HTTP web applications through the Apache 2 webserver, and Apache should be configured to provide a strong security layer for this usage.

N-Squared recommends applying the following configuration changes to any default Apache 2 installation. These changes are selected to enhance the security layer provided for N2CUG.

Please refer to the relevant Apache documentation for further details on these recommendations.

Note that in all cases Apache will have to be restarted once the appropriate change(s) have been made:

apachectl restart

Version Selection

It is strongly recommended that the latest available version of Apache is used for any web server installation. The minimum version installed should always be the latest version available for your OS installation. It is also strongly recommended that your OS version is actively supported with security updates.

TLS/SSL

It is strongly recommended that if N2CUG is accessed through a publicly accessible web address, it is accessed over HTTPS only. It is also recommended that HTTPS should be used even for internal access.

TLS/SSL Protocols

Insecure TLS/SSL protocols should be disabled. This is done by setting SSLProtocol and SSLCipherSuite in the Apache configuration to a more restricted option set:

SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5

In this configuration, SSLv2, SSLv3, and TLS 1.0 are disabled and only TLS 1.2 is enabled in the SSLProtocol parameter, and support for RC4 ciphers is disabled in the SSLCipherSuite parameter.

TLS/SSL Test

If N2CUG is available over the publicly accessible internet, it is recommended to test the TLS/SSL configuration.

HTTP Methods

HTTP TRACE

Some security audits recommend that the HTTP TRACE method be disabled to reduce available attack vectors. If so required, this can implemented by using the Apache TraceEnable parameter:

TraceEnable off

Note that the official Apache documentation recommends against setting TraceEnable to this value:

Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it.

ETag Generation

It is recommended to disable inode-based ETag generation in Apache by setting FileETag to use more general information:

FileETag MTime Size

Apache versions after v2.3.14 already default to the above secure configuration.

Suppress Server Information

Some security audits recommend the suppression of server information to clients. If so required, the following configuration removes Apache version information from responses:

ServerSignature Off
ServerTokens Prod

The default value for ServerSignature is already Off in all versions of Apache.

Note that the official Apache documentation recommends against altering ServerTokens in this way:

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems… The idea of “security through obscurity” is a myth and leads to a false sense of safety.

Suppress Default Page

If no more specific location is given (and no default redirection is performed as part of post-installation configuration of N2CUG components), Apache will serve a default page, which is undesirable.

To suppress this page, execute:

> /var/www/html/index.html

Note that this is only applied as a fallback measure; the post-installation configuration instructions for N2CUG components that use Apache include instructions for redirecting other traffic to the appropriate service.

Also note that on some Ubuntu systems, this file may be recreated after Apache package upgrades.

Set Headers

Some additional headers should be explicitly set for various reasons:

  1. To force clients (especially MSIE) to follow MIME content type by setting X-Content-Type-Options.
  2. To ask clients to allow N2CUG to be embedded in an inline frame by setting X-Frame-Options.
  3. To enforce HTTPS access to Apache by setting use Strict-Transport-Security.
<Location />
    Header set X-Content-Type-Options: "nosniff"
    Header set X-Frame-Options: "sameorigin"
    Header set Strict-Transport-Security: max-age=15768000;
</Location>

WebDAV

WebDAV should be disabled by removing its modules in Apache. The process to do this depends on your Linux OS type.

RPM-Based Systems

These modules are loaded by default in the Apache configuration and should be commented out:

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_fs_module modules/mod_dav_lock.so

DEB-Based Systems

Ensure that the following files are not present or linked in the mods-enabled Apache folder:

dav_fs.conf
dav.load
dav_fs.load
dav_lock

Set Server Name

To help avoid DNS rebind attacks, enforce access to N2CUG over the correct hostname(s). This can be achieved by moving the N2CUG and Jarvis configuration to within appropriate VirtualHost directives, with ServerName and ServerAlias set to the appropriate host names, i.e.:

<VirtualHost *:443>
    ServerName your.host.com
    ServerAlias your.host2.com your.host3.com
    <!-- Existing N2CUG configuration goes here. -->
</VirtualHost>