Migrating the Apache from 2.2 to 2.4 and write the procedure.
Also I think it can be used as SSL / TLS security setting example (2015).
table of contents
Introduction
environment
Preliminary preparation
Package Upgrade
Apache2.4 setting
Tomcat8 setting
Starting the Server
Confirmation
Summary
Related article
Introduction
May Logjam Attack on measures to, (or higher recommended 2048 bits as Logjam Attack measures) that DH parameters in Apache 2.2 is a problem that the 1024-bit fixed was discovered.
It was left for the state to which there is no time while I tried to 2.4, it has moved to 2.4 Now that you have finally time.
I have written the following procedure.
Since Apache transition incidentally also Tomcat and java have upgraded leave wrote also to about this.
environment
Environment below.
Migration is the installation of the front and rear together with yum. It does not build or the like from the source (since the management cost increases).
OS Amazon Linux (64bit)
Pre-migration
Apache 2.2.29-1.5.amzn1
Tomcat 7.0.62-1.10.amzn1
Java 1.7.0.85-2.6.1.3.61.amzn1
After migration
Apache 2.4.12-1.60.amzn1
Tomcat 8.0.23-1.54.amzn1
Java 1.8.0.51-1.b16.6.amzn1
Preliminary preparation
backup
Please go back up, etc. appropriate server and the necessary data.
For our migration target is running on AWS EC2, to create an AMI from pre-migration server with the appropriate means (copy), we are working to start the instance from this image.
The following will be working in this copied instance.
Service outage
Apache, and, to stop the Tomcat.
$ Sudo /etc/rc.d/init.d/httpd stop
$ Sudo /etc/rc.d/init.d/tomcat7 stop
Application, and a copy of the configuration file (backup)
Current status of the application, and, you have copy the configuration to the appropriate directory.
Apache-related
/etc/httpd/conf under the configuration file
Configuration files under /etc/httpd/conf.d
Tomcat-related
/ Usr / share / tomcat7 / webapps under the Web application
/ Usr / share / tomcat7 / conf under the configuration file
Package Upgrade
Upgrade of Java
Java1.8 installation of
Because there is a case in which prior to remove the Java1.7 the problem comes out in the dependencies and install the 1.8.
$ Sudo yum install java-1.8.0-openjdk
Uninstall Java1.7
Uninstall the old java (if necessary).
$ Sudo yum erase java-1.7.0-openjdk
Tomcat upgrade of
Tomcat8 installation of
Tomcat8 Install.
$ Sudo yum install tomcat8
Related package includes the following are also installed.
tomcat8-lib
tomcat8-servlet-3.1-api
tomcat8-jsp-2.3-api
tomcat8-el-3.0-api
Uninstall Tomcat7
Below you uninstall the package (please go yum erase, etc.).
tomcat7
tomcat7-lib
tomcat7-servlet-3.0-api
tomcat7-jsp-2.2-api
tomcat7-el-2.2-api
Apache upgrade of
Uninstall Apache2.2
2.2 for is not even able to install the conflict in an attempt to install a 2.4 in a state in which it is installed, uninstall the earlier 2.2.
Below to uninstall the package. Also you uninstall module class.
httpd
httpd-tools
Apache2.4 installation of
Below to install the package (httpd24-tools are also installed together).
httpd24
Apache2.4 installation of modules
The following packages (mod_ssl, and, mos_security) to install.
? The following are those that are available in our company. Please change as appropriate in conjunction with the environment.
For mod_security ? protect a Web site from a vulnerability in the WAF (Web Application Firewall) see
mod24_ssl
mod24_security
mod_security_crs
mod_security_crs-extras
Apache2.4 setting
Configure the settings of Apache2.4.
As changes in the configuration file that I noticed when I went to migrate to 2.4 are as follows.
LoadModule setting conf.modules.d / *. Changes to the form to be set in the conf
has been changed into a form that is not set in httpd.conf.
AddIconByType, mod_autoindex-related directives such as AddIcon moved to conf.d / autoindex.conf
for directory index function is not used, these settings I think in many cases it is commented out. 2.2 era had commented out working hard, but now can be handled by that you want to delete / rename the autoindex.conf in 2.4.
conf.d / userdir.conf additional
userdir.conf under the conf.d directory has been added. mod_userdir I think that in many cases you want to disable, but, in that case let’s equal to the autoindex.conf same delete / rename.
You configure the settings based on these changes.
httpd.conf configuration of
Set the httpd.conf (/etc/httpd/conf/httpd.conf).
Below and set the item (excerpt)
Prod ServerTokens # same manner as in the case of 2.2
ServerAdmin Aaaattoagilegroup.Co.Jp # <= administrator e-mail address set
ServerName Www.Agilegroup.Co.Jp:80 # server name setting
<Directory “/ var / www / html”>
#Options Indexes FollowSymLinks
FollowSymLinks Options # <= Indexes is deleted, the directory listing is disabled
…
</ Directory>
? ServerSignature is now in the 2.4 default off.
DOS attack (slowloris) measures
Reqtimeout_module in Apache 2.2.15 and later are likely to add. You can take measures for the DOS attack (slowloris) by using this module.
You may be set as needed.
RequestReadTimeout header = 20-40, MinRate = 500 body = 20, MinRate = 500
The above is the default value
becomes an error if the header / body does not complete the transmission in 20 seconds.
500 while the bytes / sec or more data is being sent will be extended to a maximum time-out value.
Module settings
Setup is now placed in the following /etc/httpd/conf.modules.d/ directory.
The following is divided in the configuration file.
? 00-ssl.conf, 10-mod_security.conf each mod_ssl, during mod_security installation
file name Overview
00-base.conf Basic module
00-dav.conf WebDAV related module
00-lua.conf mod_lua
00-mpm.conf MPM related
prefork, worker, has become available for selection the event.
00-optional.conf Module, which is generally thought to it is less likely to be used
00-proxy.conf Proxy-related modules
01-cgi.conf CGI-related modules
00-ssl.conf mod_ssl related
10-mod_security.conf mod_security related
For unnecessary modules will be carried out an equal editing to comment out the LoadModule setting.
00-base.conf
Edit the 00-base.conf.
? The following is an example that focuses almost minimal module. Please appropriately changed depending on the environment.
LoadModule access_compat_module modules / mod_access_compat.so
#LoadModule Actions_module modules / mod_actions.so
LoadModule alias_module modules / mod_alias.so
#LoadModule Allowmethods_module modules / mod_allowmethods.so
#LoadModule Auth_basic_module modules / mod_auth_basic.so
#LoadModule Auth_digest_module modules / mod_auth_digest.so
#LoadModule Authn_anon_module modules / mod_authn_anon.so
LoadModule authn_core_module modules / mod_authn_core.so
#LoadModule Authn_dbd_module modules / mod_authn_dbd.so
#LoadModule Authn_dbm_module modules / mod_authn_dbm.so
#LoadModule Authn_file_module modules / mod_authn_file.so
#LoadModule Authn_socache_module modules / mod_authn_socache.so
LoadModule authz_core_module modules / mod_authz_core.so
#LoadModule Authz_dbd_module modules / mod_authz_dbd.so
#LoadModule Authz_dbm_module modules / mod_authz_dbm.so
#LoadModule Authz_groupfile_module modules / mod_authz_groupfile.so
#LoadModule Authz_host_module modules / mod_authz_host.so
#LoadModule Authz_owner_module modules / mod_authz_owner.so
#LoadModule Authz_user_module modules / mod_authz_user.so
#LoadModule Autoindex_module modules / mod_autoindex.so
#LoadModule Cache_module modules / mod_cache.so
#LoadModule Cache_disk_module modules / mod_cache_disk.so
#LoadModule Data_module modules / mod_data.so
#LoadModule Dbd_module modules / mod_dbd.so
#LoadModule Deflate_module modules / mod_deflate.so
LoadModule dir_module modules / mod_dir.so
#LoadModule Dumpio_module modules / mod_dumpio.so
#LoadModule Echo_module modules / mod_echo.so
#LoadModule Env_module modules / mod_env.so
LoadModule expires_module modules / mod_expires.so
#LoadModule Ext_filter_module modules / mod_ext_filter.so
#LoadModule Filter_module modules / mod_filter.so
LoadModule headers_module modules / mod_headers.so
LoadModule include_module modules / mod_include.so
#LoadModule Info_module modules / mod_info.so
LoadModule log_config_module modules / mod_log_config.so
#LoadModule Logio_module modules / mod_logio.so
#LoadModule Macro_module modules / mod_macro.so
#LoadModule Mime_magic_module modules / mod_mime_magic.so
LoadModule mime_module modules / mod_mime.so
#LoadModule Negotiation_module modules / mod_negotiation.so
#LoadModule Remoteip_module modules / mod_remoteip.so
LoadModule reqtimeout_module modules / mod_reqtimeout.so
#LoadModule Request_module modules / mod_request.so
LoadModule rewrite_module modules / mod_rewrite.so
LoadModule setenvif_module modules / mod_setenvif.so
#LoadModule Slotmem_plain_module modules / mod_slotmem_plain.so
#LoadModule Slotmem_shm_module modules / mod_slotmem_shm.so
#LoadModule Socache_dbm_module modules / mod_socache_dbm.so
#LoadModule Socache_memcache_module modules / mod_socache_memcache.so
LoadModule socache_shmcb_module modules / mod_socache_shmcb.so
LoadModule status_module modules / mod_status.so
#LoadModule Substitute_module modules / mod_substitute.so
#LoadModule Suexec_module modules / mod_suexec.so
# This module will cause Apache to fail to load if there is no DNS
# LoadModule unique_id_module modules / mod_unique_id.so
LoadModule unixd_module modules / mod_unixd.so
#LoadModule Userdir_module modules / mod_userdir.so
LoadModule version_module modules / mod_version.so
LoadModule vhost_alias_module modules / mod_vhost_alias.so
00-dav.conf
All commented out you do not use the WebDAV
00-lua.conf
Comment If you do not use the mod_lua
Note: to intervene in the Apache in mod_lua of Apache 2.4.1 (end of mod_rewrite?)
00-mpm.conf
MPM is to enable the ones you want to use.
? default had become prefork.
00-optional.conf
Default are commented out in total. The setting if there is something you want to use.
00-proxy.conf
All comment out If you do not use a proxy.
Apache is in our environment, since the cooperation by using the Tomcat, to enable the following
mod_proxy
mod_proxy_ajp
00-ssl.conf
If effectively to use the ssl / tls
01-cgi.conf
All commented out if not using CGI
10-mod_security.conf
If effectively utilizing the mod_seciruty
conf.d below the set of
conf.d below the following files will be installed.
? mod_security.conf, ssl.conf each mod_security, when mod_ssl installation
file name Overview
autoindex.conf mod_autoindex related settings. If you want to disable the directory listing, as I wrote above, Chaimashou renamed so that they are not Include either delete the file.
notrace.conf TraceEnable off settings have been described.
This setting for a cross-site tracing measures should be left in effect.
userdir.conf mod_userdir related settings. If you do not want to use, as well as the autoindex.conf delete or rename.
welcome.conf Apache default of the top page for display.
This guy also let you disable and delete or rename.
mod_security.conf mod_security-related settings
ssl.conf ssl / tls-related settings
mod_security.conf
For mod_security, if the settings of the Apache 2.2 is okay the same.
It would be OK if return the configuration file that you backed up.
If LoadModule setting is described, (because it is set in the conf.modules.d / 10-mod_security.conf) Let’s commented out.
Reference: protect the Web site from a vulnerability in the WAF (Web Application Firewall)
ssl.conf
I think that it may be performed setting below (excerpt).
Basic
SSLProtocol all -SSLv2 -SSLv3 # SSLv2, SSLv3 is prohibited (-SSLv3 postscript)
# SSLCipherSuite one example (recommended security type of IPA), revised on the basis of the pre-migration configuration
SSLCipherSuite SSLCipherSuite DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES128-SHA256: DHE-RSA-CAMELLIA128-SHA: DHE-RSA-AES128-SHA: AES128-GCM-SHA256: AES128-SHA256: CAMELLIA128-SHA: AES128-SHA: DHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-SHA256: DHE-RSA-CAMELLIA256-SHA: DHE-RSA-AES256-SHA: AES256-GCM-SHA384: AES256-SHA256: CAMELLIA256- SHA: AES256-SHA
Priority specified SSLHonorCipherOrder on # cipher suite
# Various certificate-related file settings – describes the pre-migration configuration
SSLCertificateFile …
SSLCertificateKeyFile …
SSLCACertificateFile …
# HTTP Strict Transport Security (HSTS) setting – if necessary
Header always set Strict-Transport-Security “max-age = 15768000; includeSubDomains”
Actual SSLCipherSuite the SSL / TLS setting (2015/5) of the Web server , please also reference per.
OCSP Stapling
Because became possible OCSP Stapling set in the Apache 2.3.3 or later, this setting also enables.
Reference: Apache – Enable OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb: / var / run / ocsp (128000)
Whether OCSP Stapling is enabled, you can check with the following command (Please change as appropriate host name).
$ Openssl s_client -connect localhost: 443 -tls1 -status | head
…
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
…
If OCSP Stapling is invalid, it is output as follows.
OCSP response: no response sent
DH Parameter
If the Apache 2.4.8 migration, Logjam Attack measures , but I thought for performing a particular configuration of the following parameters DH, which is one of the,
SSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}”
openssl could not be required there setting or later 1.0.2.
? In article writing is openssl of the Amazon Linux 1.0.1k-10.87
Public Key Pinning
Public Key Pinning also I wanted to try to set, that the second pin of the specified for Examining backup is essential and, because it is likely to Dohamari in operation and not from the falling neatly the procedure / system this time, we removed from the configuration.
Reference: Public Key Pinning
Other Settings
Setting of the Web application, returns from the backup destination settings other than the above.
Check the settings
When you are finished editing the settings Make sure that there is no problem.
$ Sudo httpd -t
Syntax OK
Tomcat8 setting
Edit the configuration file
And edit it as needed.
tomcat8.conf
Edit the /usr/share/tomcat8/conf/tomcat8.conf (following excerpt).
? JAVA_OPTS is edited for Magnolia CMS
JAVA_OPTS=”- server -Dfile.encoding=UTF-8 -Xmx512m -Xminf0.1 -Xmaxf0.3 -Djava.library.path=/usr/lib”
LANG = “ja_JP.UTF-8”
? MaxPermSize option of support was removed from the specified as it was no longer a Java8.
logging.properties
Edit the /usr/share/tomcat8/conf/logging.properties (following excerpt).
Normal console handler as long as not a development environment will remove because it is unnecessary.
# .handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler
Configuration file other than the above is also appropriately set in accordance with the requirements of the application.
Deploying Applications
Deploy the application that has been backed up.
/usr/share/tomcat8/webapps to copy the application that had been backed up to under the directory.
After copying the tomcat ownership: Change in tomcat.
(The following is the case of webapps / ROOT application)
$ Sudo chown tomcat:tomcat /usr/share/tomcat8/webapps/ROOT -R
Starting the Server
When you have finished setting the start the server.
Let’s also automatic startup settings as needed.
Tomcat8
$ Sudo /etc/rc.d/init.d/tomcat8 start
Apache2.4
$ Sudo /etc/rc.d/init.d/httpd start
Confirmation
When you start the server, let’s check the operation.
Check the operation of the application
First, let’s see if Web site, the Web application is running correctly.
SSL / TSL setting confirmation
Let whether to confirm or SSL / TLS settings are properly adapted.
For SSL / TLS settings of the server can be at the following site.
SSL Server Test – QUALYS SSL LABS
I was able to confirm that that is a valid OCSP stapling also in the above site.
Also try to run again check made in Logjam Attack measures.
Below you can check the site.
Guide to Deploying Diffie-Hellman for TLS
Although pre-migration is DHE had become a warning for a Common 1024-bit Prime, after the migration is 2048-bits next to the warning display has disappeared.
Summary
Our company was able to successfully upgrade the above procedure.
And after the operation verification reassign the Elastic IP, server migration is complete.
Or there is no 1024-bit limit of DH parameters in it to migrate to 2.4.x from 2.2.x, and or can be added to OCSP Stapling setting, I think it will be said to have become a little configurations of the more problematic in terms of security.
I think also there is to try the migration aimed at the improvement of the security aspects.
Recent Comments