Apache Security Configuration
Security
Some N2VS components - specifically the GUI and frontend API - run as HTTP web applications through the Apache 2 webserver, and Apache should be configured to provide a strong security layer for this usage. N-Squared recommends applying the following configuration changes to any default Apache 2 installation. These changes are selected to enhance the security layer provided for N2VS.
Please refer to the relevant Apache documentation for further details on these recommendations.
Note that in all cases Apache will have to be restarted once the appropriate change(s) have been made:
apachectl restart
Version Selection
It is strongly recommended that the latest available version of Apache is used for any web server installation. The minimum version installed should always be the latest version available for your OS installation. It is also strongly recommended that your OS version is actively supported with security updates.
TLS/SSL
It is strongly recommended that if N2VS is accessed through a publicly accessible web address, it is accessed over HTTPS only. It is also recommended that HTTPS should be used even for internal access.
TLS/SSL Protocols
Insecure TLS/SSL protocols should be disabled. This is done by setting SSLProtocol
and SSLCipherSuite
in the Apache
configuration to a more restricted option set:
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
In this configuration, SSLv2
, SSLv3
, and TLS 1.0
are disabled and only TLS 1.2
is enabled in the SSLProtocol
parameter, and support for RC4
ciphers is disabled in the SSLCipherSuite
parameter.
HTTP Methods
HTTP TRACE
Some security audits recommend that the HTTP TRACE
method be disabled to
reduce available attack vectors. If so required, this can implemented by
using the Apache TraceEnable
parameter:
TraceEnable off
Note that the official Apache documentation recommends
against setting TraceEnable
to this value:
Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache
httpd
. TheTRACE
method is defined by the HTTP/1.1 specification and implementations are expected to support it.
HTTP Options / Head
Some security audits recommend that the HTTP OPTIONS
and HEAD
methods be disabled to further protect against attack vectors.
This can be achieved by allow listing required methods only:
<LimitExcept POST GET PUT DELETE>
order deny,allow
deny from all
</LimitExcept>
Automatic Redirect
It is recommended for nodes running single applications that redirection is enabled to force all requests towards the single application only.
For example editing:
nano /etc/httpd/conf.d/n2vs.conf
The following may be added to force all none /n2vs
routes to redirect to the application:
RedirectMatch ^/$ /n2vs
Content Security Policy
The N2VS screens support complex content security roles. These may be enabled by adding the following to the N2VS configuration file:
<Location /n2vs>
Header set Content-Security-Policy "default-src 'self'; connect-src 'self';"
</Location>
ETag Generation
It is recommended to disable inode-based ETag generation
in Apache by setting FileETag
to use more general information:
FileETag MTime Size
Apache versions after v2.3.14
already default to the above secure configuration.
Suppress Server Information
Some security audits recommend the suppression of server information to clients. If so required, the following configuration removes Apache version information from responses:
ServerSignature Off
ServerTokens Prod
The default value for ServerSignature
is already Off
in all versions of Apache.
Note that the official Apache documentation recommends
against altering ServerTokens
in this way:
Setting ServerTokens to less than
minimal
is not recommended because it makes it more difficult to debug interoperational problems… The idea of “security through obscurity” is a myth and leads to a false sense of safety.
Suppress Default Page
If no more specific location is given (and no default redirection is performed as part of post-installation configuration of N2VS components), Apache will serve a default page, which is undesirable.
To suppress this page, execute:
> /var/www/html/index.html
Note that this is only applied as a fallback measure; the post-installation configuration instructions for N2VS components that use Apache include instructions for redirecting other traffic to the appropriate service.
Also note that on some Ubuntu systems, this file may be recreated after Apache package upgrades.
Set Headers
Some additional headers should be explicitly set for various reasons:
- To force clients (especially MSIE) to follow MIME content type by setting
X-Content-Type-Options
. - To ask clients to allow N2VS to be embedded in an inline frame by setting
X-Frame-Options
. - To enforce HTTPS access to Apache by setting use
Strict-Transport-Security
.
<Location />
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set Strict-Transport-Security: max-age=15768000;
</Location>
WebDAV
WebDAV should be disabled by removing its modules in Apache. The process to do this depends on your Linux OS type.
RPM-Based Systems
These modules are loaded by default in the Apache configuration and should be commented out:
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_fs_module modules/mod_dav_lock.so
DEB-Based Systems
Ensure that the following files are not present or linked in the mods-enabled
Apache folder:
dav_fs.conf
dav.load
dav_fs.load
dav_lock
Set Server Name
To help avoid DNS rebind attacks, enforce access to N2VS over
the correct hostname(s). This can be achieved by moving the N2VS and Jarvis configuration to within appropriate
VirtualHost
directives, with ServerName
and ServerAlias
set to the appropriate host names, i.e.:
<VirtualHost *:443>
ServerName your.host.com
ServerAlias your.host2.com your.host3.com
<!-- Existing N2VS configuration goes here. -->
</VirtualHost>
Mod Security
Mod security offers an application firewall which may be deployed to provide additional protections.
Install dependencies:
dnf install mod_security
Configure and enable ModSecurity:
ln -s /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.modules.d/00-mod_security.conf
Download the core ruleset from:
wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.zip
Unzip the archive and copy the rules to the target directory:
unzip v3.3.0.zip
cd coreruleset-3.3.0
cp crs-setup.conf.example /etc/httpd/modsecurity.d/crs-setup.conf
cd rules
cp * /etc/httpd/modsecurity.d/activated_rules/
Example Configuration
The following is an example N2VS HTTP security configuration that may be deployed.
nano /etc/httpd/conf.d/n2vs-http-security.conf
ServerSignature Off
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
TraceEnable Off
ServerTokens Prod
FileETag MTime Size
<Location />
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
<LimitExcept POST GET PUT DELETE>
order deny,allow
deny from all
</LimitExcept>
</Location>