Apache config snippets

Require login to server but allow from local subnet

This will pass your password in CLEAR text unless you have this in a https server.

<Directory "/data/webroot/protected/https">
  Options Indexes FollowSymLinks Includes
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 192.168.1.0/24
  Satisfy any
  AuthType Basic
  AuthName "Authorized Users Only"
  AuthUserFile /data/webroot/protected/useraccess.txt
  AuthGroupFile /data/webroot/protected/groupaccess.txt
  Require group GroupName
</Directory>


cat *.txt
mygrp:GuessMyPassword
  
GroupName: mygrp

Apache http to https Redirect

root@host03:/etc/apache2/sites-available# more wiki-http-redirect-to-https 
<VirtualHost *:80>
	ServerName wiki.example.int
	Redirect permanent / https://wiki.example.int
</VirtualHost>

Poodle SSL vulnerability

Background

Apache2 on Ubuntu

  1. Edit /etc/apache2/mods-available/ssl.conf
  2. Change SSLProtocol all to SSLProtocol all -SSLv3. SSLv2 is not supported.
  3. Check strong ciphers are enabled.
  4. Restart Apache.

Testing

Use openssl s_client utility to force ssl connection with disallowed protocol (SSLv3):-

This should FAIL!

root@host:/etc/apache2# openssl s_client -connect 23.24.25.26:443  -ssl3
CONNECTED(00000003)
139648475055776:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139648475055776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1413802832
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
root@fmtswebhost2:/etc/apache2#

This should succeed with TLS.

root@host:/etc/apache2# openssl s_client -connect 31.14.29.46:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=GB/serialNumber=03513618/street=2 New Brunswick Square/street=Brindley Road/postalCode=B21 2AZ/C=GB/ST=West Midlands/L=Birmingham/O=MTServer Limited/CN=www.mtserver.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
....edited....

---
No client certificate CA names sent
---
SSL handshake has read 4370 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 9511860F5F1D9F8DDFA990D9FE6BD45B07A1D06778DF612E4A13698543AFA4E5
    Session-ID-ctx: 
    Master-Key: 68C45A2FCF7F380E2DB62E9C615565BB817C838D7DDA427390650C8E83BE324D48E65D7DFDE6FFC126180A96A10B005F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:

    ....edited....

    Start Time: 1413803043
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
root@host:/etc/apache2#

Log file entry examples

Obviously the Firefox and Chrome entries are well known, I have added a few examples of unusual user-agents to help with any debugging.

Cisco 7940/7960 ip phones:-

==> /var/log/httpd/access_log <==
192.168.123.123 - - [28/Jul/2023:17:37:24 +0100] "GET /cisco/bmp/eng.bmp HTTP/1.1" 200 8178 "-" "Allegro-Software-WebClient/3.10b1"
 
linux/apacheconfig.txt · Last modified: 31/07/2023 10:20 by andrew