Apache Grundkonfiguration für Debian Stretch

Apache mit PHP installieren:

apt-get install apache2 libapache2-mod-php

Nicht benötigte Module deaktivieren:

a2dismod -f autoindex

Header und Include Module aktivieren:

a2enmod headers include

Standard Konfiguration erstellen:

vi /etc/apache2/conf-available/myconfig.conf
# Default access control
<Directory />
        Options None
        AllowOverride None
        Require all denied
        <LimitExcept GET POST HEAD>
                Require all denied
        </LimitExcept>
</Directory>
<Directory /var/www>
        Options None
        AllowOverride None
        Require all denied
        <LimitExcept GET POST HEAD>
                Require all denied
        </LimitExcept>
</Directory>
 
# Access control for server-status
<IfModule mod_status.c>
        <Location /server-status>
                Require ip 127.0.0.1
        </Location>
</IfModule>
 
# Access control for server-info
<IfModule mod_info.c>
        <Location /server-info>
                Require ip 127.0.0.1
        </Location>
</IfModule>
 
# Access control for icons directory
<Directory /usr/share/apache2/icons>
        Require all denied
</Directory>
 
# Set ServerTokens to full for modsecurity2
ServerTokens Full
 
# Disable ServerSignature
ServerSignature Off
 
# Disable trace methode
TraceEnable Off
 
# Customizable error responses pages
<IfModule mod_negotiation.c>
        <IfModule mod_include.c>
                <IfModule mod_alias.c>
 
                        Alias /error/ "/var/www/error/"
 
                        <Directory "/var/www/error">
                                Options IncludesNoExec
                                AddOutputFilter Includes html
                                AddHandler type-map var
                                Require all granted
                                LanguagePriority en cs de es fr it nl sv pt-br ro
                                ForceLanguagePriority Prefer Fallback
                        </Directory>
 
                        ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
                        ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
                        ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
                        ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
                        ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
                        ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
                        ErrorDocument 410 /error/HTTP_GONE.html.var
                        ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
                        ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
                        ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
                        ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
                        ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
                        ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
                        ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
                        ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
                        ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
                        ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
 
                </IfModule>
        </IfModule>
</IfModule>
 
# Error and access log configuration
ErrorLog "|/usr/bin/logger -t httpd -p local1.error"
CustomLog "|/usr/bin/logger -t httpd -p local0.info" combined
 
# Set secure, http only and samesite flag for all cookies
<IfModule mod_headers.c>
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=Strict;Secure
</IfModule>
 
# OCSP stapling cache
<IfModule mod_ssl.c>
        SSLStaplingCache shmcb:/var/run/apache2/ssl_stapling_cache(128000)
</IfModule>

Konfigurationen aktivieren:

a2enconf myconfig

ModSecurity2 installieren:

apt-get install libapache2-mod-security2 modsecurity-crs

Server Banner entfernen:

vi /etc/modsecurity/modsecurity.conf
SecServerSignature " "

Unnötige Konfigurationen deaktivieren:

a2disconf other-vhosts-access-log security charset localized-error-pages serve-cgi-bin

Error Pages kopieren:

cp -r /usr/share/apache2/error /var/www/

XSS Bug der Error Pages behoben, siehe: Apache Error Pages XSS

Ordner für Zertifikate erstellen:

mkdir /etc/apache2/ssl

SSL Konfiguration erstellen:

vi /etc/apache2/ssl/ssl.conf
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
 
<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</IfModule>
 
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
#SSLCertificateChainFile /etc/apache2/ssl/SSL_CA_Bundle.pem
 
#SSLUseStapling on

Die SSL Konfiguratoin kann mittels Include ssl/ssl.conf an den Virtuellen Hosts hinzugefügt werden.

Standard Hosts deaktivieren:

a2dissite 000-default default-ssl

Neuer standard Host erstellen:

vi /etc/apache2/sites-available/000-<IP Adresse>.conf
<VirtualHost *:80>
 
        ServerAdmin webmaster@lenux.org
 
        DocumentRoot /var/www/html
 
        <Directory /var/www/html>
                Options None
                AllowOverride None
                Require all denied
        </Directory>
 
</VirtualHost>
vi /etc/apache2/sites-available/000-<IP Adresse>-ssl.conf
<VirtualHost *:443>
 
        ServerAdmin webmaster@lenux.org
 
        DocumentRoot /var/www/html
 
        <Directory /var/www/html>
                Options None
                AllowOverride None
                Require all denied
        </Directory>
 
        Include ssl/ssl.conf
 
</VirtualHost>

Seiten aktivieren:

a2ensite 000-<IP Adresse> 000-<IP Adresse>-ssl

Falls installiert PHP absichern:

vi /etc/php/7.0/apache2/conf.d/99-local.ini
session.cookie_httponly = 1
session.cookie_secure = 1

Sie haben weitere Fragen zu dieser Anleitung und möchten gerne mehr Informationen oder brauchen Unterstützung? Wir helfen Ihnen gerne, unsere Kontaktdaten finden Sie hier: https://df-informatik.ch/kontakt/