====== Apache config snippets ======
===== Require login to server but allow from local subnet =====
This will pass your password in CLEAR text unless you have this in a https server.
Options Indexes FollowSymLinks Includes
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Satisfy any
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /data/webroot/protected/useraccess.txt
AuthGroupFile /data/webroot/protected/groupaccess.txt
Require group GroupName
cat *.txt
mygrp:GuessMyPassword
GroupName: mygrp
===== Apache http to https Redirect =====
root@host03:/etc/apache2/sites-available# more wiki-http-redirect-to-https
ServerName wiki.example.int
Redirect permanent / https://wiki.example.int
===== Poodle SSL vulnerability =====
==== Background ====
See:- [[http://en.wikipedia.org/wiki/POODLE]]
==== Apache2 on Ubuntu ====
- Edit /etc/apache2/mods-available/ssl.conf
- Change ''SSLProtocol all'' to ''SSLProtocol all -SSLv3''. SSLv2 is not supported.
- Check strong ciphers are enabled.
- Restart Apache.
==== Testing ====
Use ''openssl s_client'' utility to force ssl connection with disallowed protocol (SSLv3):-
This should FAIL!
root@host:/etc/apache2# openssl s_client -connect 23.24.25.26:443 -ssl3
CONNECTED(00000003)
139648475055776:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139648475055776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1413802832
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
root@fmtswebhost2:/etc/apache2#
This should succeed with TLS.
root@host:/etc/apache2# openssl s_client -connect 31.14.29.46:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=GB/serialNumber=03513618/street=2 New Brunswick Square/street=Brindley Road/postalCode=B21 2AZ/C=GB/ST=West Midlands/L=Birmingham/O=MTServer Limited/CN=www.mtserver.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
....edited....
---
No client certificate CA names sent
---
SSL handshake has read 4370 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 9511860F5F1D9F8DDFA990D9FE6BD45B07A1D06778DF612E4A13698543AFA4E5
Session-ID-ctx:
Master-Key: 68C45A2FCF7F380E2DB62E9C615565BB817C838D7DDA427390650C8E83BE324D48E65D7DFDE6FFC126180A96A10B005F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
....edited....
Start Time: 1413803043
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
root@host:/etc/apache2#
==== Log file entry examples ====
Obviously the Firefox and Chrome entries are well known, I have added a few examples of unusual user-agents to help with any debugging.
Cisco 7940/7960 ip phones:-
==> /var/log/httpd/access_log <==
192.168.123.123 - - [28/Jul/2023:17:37:24 +0100] "GET /cisco/bmp/eng.bmp HTTP/1.1" 200 8178 "-" "Allegro-Software-WebClient/3.10b1"