Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Apache / [Tutorial] Apache HTTP2 Module
« on: October 12, 2017, 04:42:50 AM »
Hello.
First of all, we need to download & upgrade some apps:
1. OpenSSL (min. 1.0.2 is required to run ANPL)
We will use the latest 1.0.2l version.
After this you need to add the /usr/local/lib and /usr/local/ssl/lib directories to the LD_LIBRARY_PATH.
2. NGHTTP2 (needed for mod_http2)
3. APR
4. APR-Util
5. Apache
Because of the existing vulnerabilities in anterior versions, we will use the latest one 2.4.28.
6. Add and activate the http/2 module
You just have to open the apache config and add this line:
And finally turn on the http/2 protocol by adding this line to apache config (for all sites) or in ssl vhosts for the sites you want:
Restart Apache with: service httpd restart
Possible Problems:
1. Apache will not start because of the mod_security
If you had mod_security, probably you will have this error when restarting:
To repair it, you need to recompile and install the new mod_security:
After this, you run service httpd restart and the server should start.
First of all, we need to download & upgrade some apps:
1. OpenSSL (min. 1.0.2 is required to run ANPL)
We will use the latest 1.0.2l version.
Code: [Select]
cd ~
mkdir installers
cd installers
wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
tar -zxvf openssl-1.0.2l.tar.gz
cd openssl-1.0.2l
./config shared zlib-dynamic --prefix=/usr/local/ssl
make
make install
mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
cd ..
After this you need to add the /usr/local/lib and /usr/local/ssl/lib directories to the LD_LIBRARY_PATH.
Code: [Select]
nano /etc/ld.so.conf.d/http2.conf
/usr/local/lib
/usr/local/ssl/lib
After you save it (Ctrl+X -> Yes), you need to run ldconfig2. NGHTTP2 (needed for mod_http2)
Code: [Select]
wget https://github.com/nghttp2/nghttp2/releases/download/v1.26.0/nghttp2-1.26.0.tar.gz
tar -zxvf nghttp2-1.26.0.tar.gz
cd nghttp2-1.26.0
export OPENSSL_CFLAGS="-I/usr/local/ssl/include"
export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
./configure
make
make install
cd ..
3. APR
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/apr/apr-1.6.2.tar.gz
tar -zxvf apr-1.6.2.tar.gz
cd apr-1.6.2
./configure
make
make install
cd ..
4. APR-Util
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/apr/apr-util-1.6.0.tar.gz
tar -zxvf apr-util-1.6.0.tar.gz
cd apr-util-1.6.0
./configure --with-apr=/usr/local/apr
make
make install
cd ..
5. Apache
Because of the existing vulnerabilities in anterior versions, we will use the latest one 2.4.28.
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/httpd/httpd-2.4.28.tar.gz
tar -zxvf httpd-2.4.28.tar.gz
cd httpd-2.4.28
cp -r ../apr-1.6.2 srclib/apr
cp -r ../apr-util-1.6.0 srclib/apr-util
./configure --enable-so --prefix=/usr/local/apache --with-ssl=/usr/local/ssl --enable-unique-id --enable-ssl=shared --enable-rewrite --enable-deflate --enable-suexec --with-suexec-docroot="/home" --with-suexec-caller="nobody" --with-suexec-logfile="/usr/local/apache/logs/suexec_log" --enable-asis --enable-filter --with-pcre --with-included-apr --enable-headers --enable-expires --enable-proxy --enable-rewrite --enable-userdir --enable-http2
make
make install
cd
6. Add and activate the http/2 module
You just have to open the apache config and add this line:
Code: [Select]
LoadModule http2_module modules/mod_http2.soAnd finally turn on the http/2 protocol by adding this line to apache config (for all sites) or in ssl vhosts for the sites you want:
Code: [Select]
Protocols h2 http/1.1Restart Apache with: service httpd restart
Possible Problems:
1. Apache will not start because of the mod_security
If you had mod_security, probably you will have this error when restarting:
Code: [Select]
Starting httpd: httpd: Syntax error on line 509 of /usr/local/apache/conf/httpd.conf: Syntax error on line 5 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup
To repair it, you need to recompile and install the new mod_security:
Code: [Select]
cd ~/installers
wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
tar -zxvf modsecurity-2.9.2.tar.gz
cd modsecurity-2.9.2
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
cd
After this, you run service httpd restart and the server should start.
2
How to / [Tutorial] Strong SSL Security for Apache
« on: November 10, 2015, 12:52:30 PM »
This tutorial shows you how to set up strong SSL security on the Apache2 webserver.
Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.
To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:
The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.
The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:
Or if you need backward compatibility (IE6/WinXP), add this line:
By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.
Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.
To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:
Code: [Select]
SSLProtocol All -SSLv2 -SSLv3The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.
The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:
Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHOr if you need backward compatibility (IE6/WinXP), add this line:
Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.
Pages: [1]
