-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep3c-Lock.html
143 lines (143 loc) · 13.2 KB
/
Step3c-Lock.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Fedora/RedHat Step3c - Enabling http 1.1/h2 Protocols" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Fedora, RedHat, SUSE, CentOS, Elliptical Curves, RSA, Encryption, http 1.1, H2, PHP, Application-Layer Protocol Negotiation, ALPN" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step 3c - Enabling httpd1.1/H2 Protocols (Fedora/Redhat)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheFedoraSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Fedora/CentOS/SUSE/RedHat</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 3c - Enabling http1.1/H2 protocols - <span class="red">Mandatory Step!!!</span></h3>
<p class="card-text">Love the Apache foundation when they warn you about their own products - Enabling HTTP/2 on your Apache Server has impact on the resource consumption and if you have a busy site, you may need to consider carefully the implications. The first noticeable thing after enabling HTTP/2 is that your server processes will start additional threads. The reason for this is that HTTP/2 gives all requests that it receives to its own Worker threads for processing, collects the results and streams them out to the client. </p>
<p class="card-text"><a href="https://httpd.apache.org/docs/2.4/mod/mod_http2.html" title="HTTP1.1/H2" target="_blank">H2 Options explained more in depth</a></p>
<p class="card-text">As if the Apache Foundations documentation is not horrible enough, their guidance being awful and did they even test H2? <a href="https://http2.akamai.com/demo" title="Akamai test" target="_blank">Akamai test</a> showing the speed difference despite the Apache Foundation being the Apache Foundation. People still think encryption kills performance! This is an older myth that needs to die a painful death! Straight HTTP is slower than HTTPS!</p>
<p class="card-text">HTTP 1.1/2 has many wonderful benefits compared to HTTP 1.0/1.1. H2 has DDoS protection, better security, options, and so forth. H2 allows us to use <a href="https://www.keycdn.com/support/alpn/" title="ALPN" target="_blank">Application-Layer Protocol Negotiation (ALPN)</a> which drops our latency to pretty much zero for requests. <a href="https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35" title="Mobile device security" target="_blank">Mobile devices</a> are also upping the ante for security. We should use it whenever possible and pretty much every modern browser supports it. Despite the warning, I have not had problems with H2 but still will "tweak" MPM Event and other settings to gain some performance. </p>
<p class="card-text"><a href="https://tools.keycdn.com/http2-test" target="_blank">Test to see if H2 is enabled</a></p>
<p class="card-text"><span class="orange">I am surprised at how many large sites do not have it deployed.</span></p>
<p class="card-text"><img class="img-fluid rounded mx-100% d-none d-md-block" src="/images/Apache/H2.jpg" longdesc="https://tools.keycdn.com/htt2-test"></p>
<p class="card-text"><span class="blue">Test performed April 2019 - Image source keycdn.com</span></p>
<p class="card-text"><strong>Unfortunately the current version of Apache in RHEL 7.6 does not support HTTP/2. HTTP/2 has been introduced in RHEL 8 Beta. We will be covering it in an updated document once a final version has been released. For now we will enable http1.1.</strong></p>
<h4>Make changes to the Apache Website config file by adding the sections in <span class="blue">blue</span> to the file</h4>
<pre>nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"> <IfModule mod_ssl.c><br>
<VirtualHost *:443><br>
ServerAdmin [email protected]<br>
ServerName EXAMPLE.com<br>
ServerAlias www.EXAMPLE.com<br>
DocumentRoot /var/www/html/EXAMPLE<br>
DirectoryIndex index.html<br>
LogLevel info ssl:warn<br>
ErrorLog ${APACHE_LOG_DIR}/error.log<br>
CustomLog ${APACHE_LOG_DIR}/access.log combined<br>
<span class="blue">Protocol http/1.1</span><br>
SSLEngine on<br>
SSLCertificateFile /etc/apache2/ssl/www_EXAMPLE_com.crt<br>
..............................<br>
</VirtualHost><br>
</IfModule></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart apache2</pre>
<h5><span class="orange">If you are going to use PHP</span></h5>
<p class="card-text">ProxyPassMatch directives are evaluated first, prior to the FilesMatch configuration being run. We are seeking to have granular control over our headers and behaviors of PHP. ProxyPass will forward the request and FileMatch will handle the request is the best way I can describe the difference!</p>
<p class="card-text blue">ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1</p>
<p class="card-text">Using ProxyPassMatch removes your ability to deny/allow access to PHP files. Not to mention you lose the ability to manipulate the server PHP requests. If you are passing PHP requests to an FPM daemon, you'd want to use FilesMatch + SetHandler instead of ProxyPassMatch.</p>
<p class="card-text blue"><FilesMatch \.php$><br>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1<br>
</FilesMatch></p>
<p class="cards-text blue">Make changes for PHP to the Apache Website config file by adding the sections in blue to the file</p>
<pre>nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"> <IfModule mod_ssl.c><br>
<VirtualHost *:443><br>
ServerAdmin [email protected]<br>
ServerName EXAMPLE.com<br>
ServerAlias www.EXAMPLE.com<br>
DocumentRoot /var/www/html/EXAMPLE<br>
DirectoryIndex index.html<br>
LogLevel info ssl:warn<br>
ErrorLog ${APACHE_LOG_DIR}/error.log<br>
CustomLog ${APACHE_LOG_DIR}/access.log combined<br>
<span class="blue">Protocol http/1.1</span><br>
<span class="blue"><FilesMatch \.php$></span><br>
<span class="blue">SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1</span><br>
<span class="blue"></FilesMatch></span><br>
SSLEngine on<br>
..............................<br>
</VirtualHost><br>
</IfModule></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart apache2</pre>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step3b-Lock.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step3d-Lock.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>