Apache Configuration Example

Server
#1

Hello!

I wanted to share my Apache 2.2.15 SSL Configuration file, running off a CentOS6 Box:

For Nginx Example please visit here: Ngnix Configuration Example

This is how my /etc/httpd/conf.d/ssl.conf looks like:

LoadModule ssl_module modules/mod_ssl.so
<IfModule mod_ssl.c>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##
#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         dbm:/var/run/apache2/ssl_scache
SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  default

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   enable only secure ciphers:
####    SSLCipherSuite HIGH:MEDIUM:!ADH
#   Use this instead if you want to allow cipher upgrades via SGC facility.
#   In this case you also have to use something like 
#        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
#   see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# enable only secure protocols: 
#SSLProtocol all -SSLv2
# 
SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA
SSLProtocol All -SSLv2 -SSLv3 -TLSv1


SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Frame-Options DENY
</IfModule>

Some take-a-ways from the above configuration. The cipher suite is a bit restrictive. This results with an A+ on SSLLabs. Noticably the Certificate and Key are not defined here. Instead I seperate that into vhosts files for each domain.
(* Updated cipher suites to more modern)

An example of the SSL portion of a the vhost located in /etc/httpd/vhost.d/hoshisato.com.conf:

<VirtualHost *:443>
ServerName hoshisato.com
ServerAlias www.hoshisato.com
DocumentRoot /var/www/vhosts/hoshisato.com/public_html

<Directory /var/www/vhosts/hoshisato.com/public_html>
        Options +Includes -Indexes FollowSymLinks -MultiViews
        AllowOverride All
</Directory>

CustomLog /var/log/httpd/hoshisato.com-access.log combined
ErrorLog /var/log/httpd/hoshisato.com-error.log
LogLevel warn

SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/hoshisato.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hoshisato.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/hoshisato.com/fullchain.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

Remember the above is an example, and you may want to modify it to fit your environment needs.

–…Archer

3 Likes
Quick Suggestion For Apache
On Android 6.0.1 the Certificate is untrusted
Loving my Let's Encrypt except for one thing...iPhones!
Problem with Android ActiveSync (Exchange)
Nginx Configuration Sample
Wildcard certificacion with my own host and DNSs from domain provider
#2

Didn’t we just read something about the DHE ciphers.

I admit I need to study this issue in more detail to decide what, if any, configuration changes to make on servers. Is it as simple as generating our own 1024-bit primes?

1 Like
#3

Hey. Thx for the example.
Shoulld’nt that be MSIE [7-9]?

2 Likes
#4

Small nitpick, this should probably be:

SSLCertificateChainFile /etc/letsencrypt/live/hoshisato.com/chain.pem

Your own certificate doesn’t need to be included in the chain file.

Thanks to @Osiris for pointing this out in another thread.

1 Like
#5

Thanks for the point out guys!
Odd, I can seem to find the button to edit my original post to make the updates. Tried clicking the little pencil button and it only gives me a history.