Apache Security Configuration

Security

Some N2VS components - specifically the GUI and frontend API - run as HTTP web applications through the Apache 2 webserver, and Apache should be configured to provide a strong security layer for this usage. N-Squared recommends applying the following configuration changes to any default Apache 2 installation. These changes are selected to enhance the security layer provided for N2VS.

Please refer to the relevant Apache documentation for further details on these recommendations.

Note that in all cases Apache will have to be restarted once the appropriate change(s) have been made:

apachectl restart

Version Selection

It is strongly recommended that the latest available version of Apache is used for any web server installation. The minimum version installed should always be the latest version available for your OS installation. It is also strongly recommended that your OS version is actively supported with security updates.

TLS/SSL

It is strongly recommended that if N2VS is accessed through a publicly accessible web address, it is accessed over HTTPS only. It is also recommended that HTTPS should be used even for internal access.

TLS/SSL Protocols

Insecure TLS/SSL protocols should be disabled. This is done by setting SSLProtocol and SSLCipherSuite in the Apache configuration to a more restricted option set:

SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5

In this configuration, SSLv2, SSLv3, and TLS 1.0 are disabled and only TLS 1.2 is enabled in the SSLProtocol parameter, and support for RC4 ciphers is disabled in the SSLCipherSuite parameter.

HTTP Methods

HTTP TRACE

Some security audits recommend that the HTTP TRACE method be disabled to reduce available attack vectors. If so required, this can implemented by using the Apache TraceEnable parameter:

TraceEnable off

Note that the official Apache documentation recommends against setting TraceEnable to this value:

Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it.

HTTP Options / Head

Some security audits recommend that the HTTP OPTIONS and HEAD methods be disabled to further protect against attack vectors.

This can be achieved by allow listing required methods only:

<LimitExcept POST GET PUT DELETE>
        order deny,allow
    deny from all
</LimitExcept>

Automatic Redirect

It is recommended for nodes running single applications that redirection is enabled to force all requests towards the single application only.

For example editing:

nano /etc/httpd/conf.d/n2vs.conf

The following may be added to force all none /n2vs routes to redirect to the application:

RedirectMatch ^/$ /n2vs

Content Security Policy

The N2VS screens support complex content security roles. These may be enabled by adding the following to the N2VS configuration file:

<Location /n2vs>
        Header set Content-Security-Policy "default-src 'self'; connect-src 'self';"
</Location>

ETag Generation

It is recommended to disable inode-based ETag generation in Apache by setting FileETag to use more general information:

FileETag MTime Size

Apache versions after v2.3.14 already default to the above secure configuration.

Suppress Server Information

Some security audits recommend the suppression of server information to clients. If so required, the following configuration removes Apache version information from responses:

ServerSignature Off
ServerTokens Prod

The default value for ServerSignature is already Off in all versions of Apache.

Note that the official Apache documentation recommends against altering ServerTokens in this way:

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems… The idea of “security through obscurity” is a myth and leads to a false sense of safety.

Suppress Default Page

If no more specific location is given (and no default redirection is performed as part of post-installation configuration of N2VS components), Apache will serve a default page, which is undesirable.

To suppress this page, execute:

> /var/www/html/index.html

Note that this is only applied as a fallback measure; the post-installation configuration instructions for N2VS components that use Apache include instructions for redirecting other traffic to the appropriate service.

Also note that on some Ubuntu systems, this file may be recreated after Apache package upgrades.

Set Headers

Some additional headers should be explicitly set for various reasons:

  1. To force clients (especially MSIE) to follow MIME content type by setting X-Content-Type-Options.
  2. To ask clients to allow N2VS to be embedded in an inline frame by setting X-Frame-Options.
  3. To enforce HTTPS access to Apache by setting use Strict-Transport-Security.
<Location />
    Header set X-Content-Type-Options: "nosniff"
    Header set X-Frame-Options: "sameorigin"
    Header set Strict-Transport-Security: max-age=15768000;
</Location>

WebDAV

WebDAV should be disabled by removing its modules in Apache. The process to do this depends on your Linux OS type.

RPM-Based Systems

These modules are loaded by default in the Apache configuration and should be commented out:

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_fs_module modules/mod_dav_lock.so

DEB-Based Systems

Ensure that the following files are not present or linked in the mods-enabled Apache folder:

dav_fs.conf
dav.load
dav_fs.load
dav_lock

Set Server Name

To help avoid DNS rebind attacks, enforce access to N2VS over the correct hostname(s). This can be achieved by moving the N2VS and Jarvis configuration to within appropriate VirtualHost directives, with ServerName and ServerAlias set to the appropriate host names, i.e.:

<VirtualHost *:443>
    ServerName your.host.com
    ServerAlias your.host2.com your.host3.com
    <!-- Existing N2VS configuration goes here. -->
</VirtualHost>

Mod Security

Mod security offers an application firewall which may be deployed to provide additional protections.

Install dependencies:

dnf install mod_security

Configure and enable ModSecurity:

ln -s /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.modules.d/00-mod_security.conf

Download the core ruleset from:

wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.zip

Unzip the archive and copy the rules to the target directory:

unzip v3.3.0.zip
cd coreruleset-3.3.0
cp crs-setup.conf.example /etc/httpd/modsecurity.d/crs-setup.conf
cd rules
cp * /etc/httpd/modsecurity.d/activated_rules/

Example Configuration

The following is an example N2VS HTTP security configuration that may be deployed.

nano /etc/httpd/conf.d/n2vs-http-security.conf
ServerSignature Off
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
TraceEnable Off
ServerTokens Prod
FileETag MTime Size
<Location />
    Header set X-Content-Type-Options: "nosniff"
    Header set X-Frame-Options: "sameorigin"
    Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
    <LimitExcept POST GET PUT DELETE>
        order deny,allow
        deny from all
    </LimitExcept>
</Location>