Changes between Version 1 and Version 2 of secureweb


Ignore:
Timestamp:
Nov 22, 2016, 9:19:52 AM (8 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • secureweb

    v1 v2  
    163163
    164164== CGI Scripts ==
     165CGI stands for Common Gateway Interface are useful for creating dynamic content on web page by transferring data from server to client. These scripts can be written in many languages such as bash, c, java, perl, python etc. [[br]]
     166First we need to create a script firstbash.cgi in following location /usr/local/cgi-bin/ , you may need to
     167create it as sudo.
     168{{{
     169#!/bin/bash
     170echo "Content-type: text/html"
     171echo ""
     172echo "My first CGI script"
     173}}}
     174Give the script file execute permissions
     175{{{
     176sudo chmod 705 /usr/local/cgi-bin/firstbash.cgi
     177}}}
     178Now to add this CGI on our web2 virtual host, edit '''/etc/apache2/sites-available/web2.conf''' as follows.
     179{{{
     180<VirtualHost *:80>
     181ServerAdmin admin@yourdomain.ws.learn.ac.lk
     182ServerName yourdomain.ws.learn.ac.lk
     183ServerAlias web2.yourdomain.ws.learn.ac.lkDocumentRoot /var/www/web2
     184<Directory /var/www/web2>
     185Require all granted
     186</Directory>
     187ScriptAlias /cgi-bin/ "/usr/local/cgi-bin/"
     188<Directory "/usr/local/cgi-bin/">
     189Options +ExecCGI
     190AddHandler cgi-script .cgi
     191Require all granted
     192</Directory>
     193ErrorLog ${APACHE_LOG_DIR}/error.log
     194CustomLog ${APACHE_LOG_DIR}/access.log combined
     195</VirtualHost>
     196}}}
     197After editing web2.conf lets enable CGI apache module and restart the server.
     198{{{
     199sudo a2enmod cgi
     200sudo systemctl reload apache2
     201}}}
     202Visit following link and check-out your script.
     203
     204http://web2.yourdomain.ws.learn.ac.lk/cgi-bin/firstbash.cgi
     205
    165206== Apache Hardening ==
     207 - Hide Apache version details:
     208By default, Apache displays the version of Apache web server installed with the name of the operating system. To hide this information, you need to edit /etc/apache2/conf-enabled/security.conf
     209{{{
     210sudo nano /etc/apache2/conf-enabled/security.conf
     211}}}
     212Add/edit the following line:
     213{{{
     214ServerSignature Off
     215ServerTokens Prod
     216}}}
     217
     218 - Stop Directory Browsing
     219Rename index.html in /var/www/html as index2.html and try to access web server from outside. You will see the directory Listing as now we don’t have an Index. But better stop displaying directory listing. Therefore, edit /etc/apache2/apache.conf and remove Indexes key word from any Directory listing such as,
     220{{{
     221<Directory /var/www/>
     222#
     223Options Indexes FollowSymLinks
     224Options -FollowSymLinks
     225AllowOverride None
     226Require all granted
     227</Directory>
     228}}}
     229and restart apache. Now go back to your default web portal and check the results.
     230
    166231== file/folder permissions ==
    167 == https configuration ==
     232
     233When you create or modify documents under /var/www/ as sudo those files and directories will belong to root user and root group. Apache is usually run by a user www-data and www-data group in Ubuntu. Therefore, if any document belongs to root will also be published as root has higher precedence than www-data. But if some malicious content are hosted, they can also be run under root opening lot of vulnerabilities to the public.
     234
     235To secure publically accessible areas we can change user permissions by,
     236{{{
     237sudo chown -R www-data:www-data /var/www
     238}}}
     239Also if we had directories that are open for users to upload content we can restrict access by modifying access modes.
     240{{{
     241sudo chmod 664 /var/www/uploads
     242}}}
     243That will change file permissions to rw-rw-r—
     244
     245== Password protected Directory ==
     246
     247When securing a directory it is a common practice we use a password to enter that path. Also in apache2 we can specify a password by creating an apache user and using .htaccess as needed.
     248
     249First install Apache Utiities;
     250{{{
     251sudo apt-get install apache2-utils
     252}}}
     253On your virtual host configuration file add or modify following inside the <Document> ... </Document>.
     254{{{
     255AllowOverride AuthConfig
     256}}}
     257Next create an authenticate user.
     258{{{
     259sudo htpasswd -c /etc/apache2/.htpasswd yourname
     260}}}
     261This will ask you to enter a new password and conform it for the new user. If you want to add another user, try with the same command above with new username. You can view the contents of the .htpassword file by
     262{{{
     263sudo cat /etc/apache2/.htpasswd
     264}}}
     265next we need to grant permission to www-data user.
     266{{{
     267sudo chown www-data:www-data /etc/httpd/.htpasswd
     268sudo chmod 0660 /etc/httpd/.htpasswd
     269}}}
     270After that create a directory called “mystuff” inside the directory web1, create an html page of your choice inside the directory as sudo and change ownership to www-data.
     271{{{
     272sudo mkdir /var/www/web1/mystuff
     273sudo nano /var/www/web1/mystuff/index.html
     274sudo chown –R www-data:www-data /var/www/web1/mystuff/*
     275}}}
     276Now create .htaccess file inside mystuff directory
     277{{{
     278sudo nano /var/www/web1/mystuff/.htaccess
     279}}}
     280Add following content
     281{{{
     282AuthType Basic
     283AuthName "Restricted Content"
     284AuthUserFile /etc/apache2/.htpasswd
     285Require valid-user
     286}}}
     287Now restart apache and browse to the newly created directory from your browser and check what is changed.
     288== HTTPS configuration using Let’s Encrypt ==
     289Install letsencrypt client on the server
     290{{{
     291sudo apt-get install python-letsencrypt-apache
     292}}}
     293Run the following to enable https for the selected domain specified with –d.
     294{{{
     295sudo letsencrypt --apache -d www.yourdomain.ws.learn.ac.lk
     296}}}
     297During the process you will be requested to enter a valid e-mail address where it will be used to send you details of your certificate and alerts like certificate expiry. Also you will be able to pick between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, except you have a specific necessity for unencrypted http traffic. [[br]]
     298If you want to enable https for other domains, then run the above with the other domain names as well.
     299
     300'''NOTE''': If your put several domains in single command with multiple –d flags then all those sites will be issued single ssl certificate with multiple domain names. This is useful if you want to certify a specific server name and a parent domain both at the same time. (Eg. www.learn.ac.lk , learn.ac.lk both will end up in same landing page without generating errors.) Once letsencrypt finishes, go to
     301https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.ws.learn.ac.lk&latest
     302
     303and check https connectivity.
     304
     305Auto Renewal of Certificates:
     306
     307Let’s Encrypt certificates are normally valid for 90 days only. Therefore, we have to renew these
     308certificates at least once every 3 months. This can be done automatically by creating a cron job in Linux
     309to execute letsencript renew command.
     310To edit cron Jobs
     311{{{
     312sudo crontab –e
     313}}}
     314then it will ask for an editor. To use nano the default editor press enter.
     315
     316At the bottom of the page insert below and save/exit,
     317{{{
     31830 4 25 */2 * /usr/bin/letsencrypt renew >> /var/log/le-renew.log
     319}}}
     320Above command will execute “/usr/bin/letsencrypt renew” on 25 th day in every two months and will write the output to a file called “/var/log/le-renew.log”
     321Also as a best practice it is better to disable port 80 or plain HTTP traffic to your server. But if your directly disable Port 80 and allow only 443 then we have to manually type “https://” before your exact url in browsers. Therefore, better to redirect all HTTP traffic to port443 from your server configuration without disabling. So to do that we need to put a redirect in each virtual host conf. files.
     322
     323Edit port 80 virtual host configuration files and add these in bottom just before the line </VirtualHost>
     324{{{
     325RewriteEngine on
     326RewriteCond %{SERVER_NAME} = www.yourdomain.ws.learn.ac.lk
     327RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
     328</VirtualHost>
     329}}}
     330Then enable mod-rewrite in apache and restart..
     331{{{
     332sudo a2enmod rewrite
     333sudo systemctl reload apache2
     334}}}
     335Now test your configuration by browsing to http://www.yourdomain.ws.learn.ac.lk and see how it redirects
    168336== http2 ==
     337HTTP/2 support is included in Apache 2.4.17 and upwards. Enable HTTP/2 module by executing,
     338{{{
     339sudo a2enmod http2
     340}}}
     341then add below to each individual ssl virtual host files to enable respectively.
     342{{{
     343Protocols h2 http/1.1
     344}}}
     345To enable http/2 globally you can add following to the apache.conf
     346{{{
     347Protocols h2 h2c http/1.1
     348}}}
     349Once those lines are added restart apache and visit https://tools.keycdn.com/http2-test to check http2 configuration.