{"id":6311,"date":"2016-10-06T09:08:49","date_gmt":"2016-10-06T01:08:49","guid":{"rendered":"http:\/\/rmohan.com\/?p=6311"},"modified":"2016-10-06T09:08:49","modified_gmt":"2016-10-06T01:08:49","slug":"migrating-the-apache-from-2-2-to-2-4-and-write-the-procedure","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6311","title":{"rendered":"Migrating the Apache from 2.2 to 2.4 and write the procedure."},"content":{"rendered":"

Migrating the Apache from 2.2 to 2.4 and write the procedure.<\/strong><\/p>\n

Also I think it can be used as SSL \/ TLS security setting example (2015).<\/p>\n

table of contents
\nIntroduction
\nenvironment
\nPreliminary preparation
\nPackage Upgrade
\nApache2.4 setting
\nTomcat8 setting
\nStarting the Server
\nConfirmation
\nSummary
\nRelated article
\nIntroduction<\/p>\n

May\u00a0 Logjam Attack\u00a0 on measures to, (or higher recommended 2048 bits as Logjam Attack measures) that DH parameters in Apache 2.2 is a problem that the 1024-bit fixed was discovered.
\nIt was left for the state to which there is no time while I tried to 2.4, it has moved to 2.4 Now that you have finally time.
\nI have written the following procedure.
\nSince Apache transition incidentally also Tomcat and java have upgraded leave wrote also to about this.
\nenvironment<\/p>\n

Environment below.
\nMigration is the installation of the front and rear together with yum. It does not build or the like from the source (since the management cost increases).
\nOS\u00a0\u00a0 \u00a0Amazon Linux (64bit)
\nPre-migration
\nApache\u00a0\u00a0 \u00a02.2.29-1.5.amzn1
\nTomcat\u00a0\u00a0 \u00a07.0.62-1.10.amzn1
\nJava\u00a0\u00a0 \u00a01.7.0.85-2.6.1.3.61.amzn1
\nAfter migration
\nApache\u00a0\u00a0 \u00a02.4.12-1.60.amzn1
\nTomcat\u00a0\u00a0 \u00a08.0.23-1.54.amzn1
\nJava\u00a0\u00a0 \u00a01.8.0.51-1.b16.6.amzn1
\nPreliminary preparation<\/p>\n

backup<\/p>\n

Please go back up, etc. appropriate server and the necessary data.
\nFor our migration target is running on AWS EC2, to create an AMI from pre-migration server with the appropriate means (copy), we are working to start the instance from this image.
\nThe following will be working in this copied instance.
\nService outage<\/p>\n

Apache, and, to stop the Tomcat.
\n$ Sudo \/etc\/rc.d\/init.d\/httpd stop
\n$ Sudo \/etc\/rc.d\/init.d\/tomcat7 stop
\nApplication, and a copy of the configuration file (backup)<\/p>\n

Current status of the application, and, you have copy the configuration to the appropriate directory.
\nApache-related
\n\/etc\/httpd\/conf under the configuration file
\nConfiguration files under \/etc\/httpd\/conf.d
\nTomcat-related
\n\/ Usr \/ share \/ tomcat7 \/ webapps under the Web application
\n\/ Usr \/ share \/ tomcat7 \/ conf under the configuration file
\nPackage Upgrade<\/p>\n

Upgrade of Java<\/p>\n

Java1.8 installation of
\nBecause there is a case in which prior to remove the Java1.7 the problem comes out in the dependencies and install the 1.8.
\n$ Sudo yum install java-1.8.0-openjdk
\nUninstall Java1.7
\nUninstall the old java (if necessary).
\n$ Sudo yum erase java-1.7.0-openjdk
\nTomcat upgrade of<\/p>\n

Tomcat8 installation of
\nTomcat8 Install.
\n$ Sudo yum install tomcat8
\nRelated package includes the following are also installed.
\ntomcat8-lib
\ntomcat8-servlet-3.1-api
\ntomcat8-jsp-2.3-api
\ntomcat8-el-3.0-api
\nUninstall Tomcat7
\nBelow you uninstall the package (please go yum erase, etc.).
\ntomcat7
\ntomcat7-lib
\ntomcat7-servlet-3.0-api
\ntomcat7-jsp-2.2-api
\ntomcat7-el-2.2-api
\nApache upgrade of<\/p>\n

Uninstall Apache2.2
\n2.2 for is not even able to install the conflict in an attempt to install a 2.4 in a state in which it is installed, uninstall the earlier 2.2.
\nBelow to uninstall the package. Also you uninstall module class.
\nhttpd
\nhttpd-tools
\nApache2.4 installation of
\nBelow to install the package (httpd24-tools are also installed together).
\nhttpd24
\nApache2.4 installation of modules
\nThe following packages (mod_ssl, and, mos_security) to install.
\n? The following are those that are available in our company. Please change as appropriate in conjunction with the environment.
\nFor mod_security ? protect a Web site from a vulnerability in the WAF (Web Application Firewall) see
\nmod24_ssl
\nmod24_security
\nmod_security_crs
\nmod_security_crs-extras
\nApache2.4 setting<\/p>\n

Configure the settings of Apache2.4.
\nAs changes in the configuration file that I noticed when I went to migrate to 2.4 are as follows.
\nLoadModule setting conf.modules.d \/ *. Changes to the form to be set in the conf
\nhas been changed into a form that is not set in httpd.conf.
\nAddIconByType, mod_autoindex-related directives such as AddIcon moved to conf.d \/ autoindex.conf
\nfor directory index function is not used, these settings I think in many cases it is commented out. 2.2 era had commented out working hard, but now can be handled by that you want to delete \/ rename the autoindex.conf in 2.4.
\nconf.d \/ userdir.conf additional
\nuserdir.conf under the conf.d directory has been added. mod_userdir I think that in many cases you want to disable, but, in that case let’s equal to the autoindex.conf same delete \/ rename.
\nYou configure the settings based on these changes.
\nhttpd.conf configuration of<\/p>\n

Set the httpd.conf (\/etc\/httpd\/conf\/httpd.conf).
\nBelow and set the item (excerpt)
\nProd ServerTokens\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # same manner as in the case of 2.2
\nServerAdmin Aaaattoagilegroup.Co.Jp\u00a0\u00a0\u00a0 # <= administrator e-mail address set
\nServerName Www.Agilegroup.Co.Jp:80 # server name setting
\n<Directory “\/ var \/ www \/ html”>
\n#Options Indexes FollowSymLinks
\nFollowSymLinks Options\u00a0\u00a0\u00a0\u00a0 # <= Indexes is deleted, the directory listing is disabled
\n…
\n<\/ Directory>
\n? ServerSignature is now in the 2.4 default off.
\nDOS attack (slowloris) measures
\nReqtimeout_module in Apache 2.2.15 and later are likely to add. You can take measures for the DOS attack (slowloris) by using this module.
\nYou may be set as needed.
\nRequestReadTimeout header = 20-40, MinRate = 500 body = 20, MinRate = 500
\nThe above is the default value
\nbecomes an error if the header \/ body does not complete the transmission in 20 seconds.
\n500 while the bytes \/ sec or more data is being sent will be extended to a maximum time-out value.
\nModule settings<\/p>\n

Setup is now placed in the following \/etc\/httpd\/conf.modules.d\/ directory.
\nThe following is divided in the configuration file.
\n? 00-ssl.conf, 10-mod_security.conf each mod_ssl, during mod_security installation
\nfile name\u00a0\u00a0 \u00a0Overview
\n00-base.conf\u00a0\u00a0 \u00a0Basic module
\n00-dav.conf\u00a0\u00a0 \u00a0WebDAV related module
\n00-lua.conf\u00a0\u00a0 \u00a0mod_lua
\n00-mpm.conf\u00a0\u00a0 \u00a0MPM related
\nprefork, worker, has become available for selection the event.
\n00-optional.conf\u00a0\u00a0 \u00a0Module, which is generally thought to it is less likely to be used
\n00-proxy.conf\u00a0\u00a0 \u00a0Proxy-related modules
\n01-cgi.conf\u00a0\u00a0 \u00a0CGI-related modules
\n00-ssl.conf\u00a0\u00a0 \u00a0mod_ssl related
\n10-mod_security.conf\u00a0\u00a0 \u00a0mod_security related
\nFor unnecessary modules will be carried out an equal editing to comment out the LoadModule setting.
\n00-base.conf
\nEdit the 00-base.conf.
\n? The following is an example that focuses almost minimal module. Please appropriately changed depending on the environment.
\nLoadModule access_compat_module modules \/ mod_access_compat.so
\n#LoadModule Actions_module modules \/ mod_actions.so
\nLoadModule alias_module modules \/ mod_alias.so
\n#LoadModule Allowmethods_module modules \/ mod_allowmethods.so
\n#LoadModule Auth_basic_module modules \/ mod_auth_basic.so
\n#LoadModule Auth_digest_module modules \/ mod_auth_digest.so
\n#LoadModule Authn_anon_module modules \/ mod_authn_anon.so
\nLoadModule authn_core_module modules \/ mod_authn_core.so
\n#LoadModule Authn_dbd_module modules \/ mod_authn_dbd.so
\n#LoadModule Authn_dbm_module modules \/ mod_authn_dbm.so
\n#LoadModule Authn_file_module modules \/ mod_authn_file.so
\n#LoadModule Authn_socache_module modules \/ mod_authn_socache.so
\nLoadModule authz_core_module modules \/ mod_authz_core.so
\n#LoadModule Authz_dbd_module modules \/ mod_authz_dbd.so
\n#LoadModule Authz_dbm_module modules \/ mod_authz_dbm.so
\n#LoadModule Authz_groupfile_module modules \/ mod_authz_groupfile.so
\n#LoadModule Authz_host_module modules \/ mod_authz_host.so
\n#LoadModule Authz_owner_module modules \/ mod_authz_owner.so
\n#LoadModule Authz_user_module modules \/ mod_authz_user.so
\n#LoadModule Autoindex_module modules \/ mod_autoindex.so
\n#LoadModule Cache_module modules \/ mod_cache.so
\n#LoadModule Cache_disk_module modules \/ mod_cache_disk.so
\n#LoadModule Data_module modules \/ mod_data.so
\n#LoadModule Dbd_module modules \/ mod_dbd.so
\n#LoadModule Deflate_module modules \/ mod_deflate.so
\nLoadModule dir_module modules \/ mod_dir.so
\n#LoadModule Dumpio_module modules \/ mod_dumpio.so
\n#LoadModule Echo_module modules \/ mod_echo.so
\n#LoadModule Env_module modules \/ mod_env.so
\nLoadModule expires_module modules \/ mod_expires.so
\n#LoadModule Ext_filter_module modules \/ mod_ext_filter.so
\n#LoadModule Filter_module modules \/ mod_filter.so
\nLoadModule headers_module modules \/ mod_headers.so
\nLoadModule include_module modules \/ mod_include.so
\n#LoadModule Info_module modules \/ mod_info.so
\nLoadModule log_config_module modules \/ mod_log_config.so
\n#LoadModule Logio_module modules \/ mod_logio.so
\n#LoadModule Macro_module modules \/ mod_macro.so
\n#LoadModule Mime_magic_module modules \/ mod_mime_magic.so
\nLoadModule mime_module modules \/ mod_mime.so
\n#LoadModule Negotiation_module modules \/ mod_negotiation.so
\n#LoadModule Remoteip_module modules \/ mod_remoteip.so
\nLoadModule reqtimeout_module modules \/ mod_reqtimeout.so
\n#LoadModule Request_module modules \/ mod_request.so
\nLoadModule rewrite_module modules \/ mod_rewrite.so
\nLoadModule setenvif_module modules \/ mod_setenvif.so
\n#LoadModule Slotmem_plain_module modules \/ mod_slotmem_plain.so
\n#LoadModule Slotmem_shm_module modules \/ mod_slotmem_shm.so
\n#LoadModule Socache_dbm_module modules \/ mod_socache_dbm.so
\n#LoadModule Socache_memcache_module modules \/ mod_socache_memcache.so
\nLoadModule socache_shmcb_module modules \/ mod_socache_shmcb.so
\nLoadModule status_module modules \/ mod_status.so
\n#LoadModule Substitute_module modules \/ mod_substitute.so
\n#LoadModule Suexec_module modules \/ mod_suexec.so
\n# This module will cause Apache to fail to load if there is no DNS
\n# LoadModule unique_id_module modules \/ mod_unique_id.so
\nLoadModule unixd_module modules \/ mod_unixd.so
\n#LoadModule Userdir_module modules \/ mod_userdir.so
\nLoadModule version_module modules \/ mod_version.so
\nLoadModule vhost_alias_module modules \/ mod_vhost_alias.so
\n00-dav.conf
\nAll commented out you do not use the WebDAV
\n00-lua.conf
\nComment If you do not use the mod_lua
\nNote: to intervene in the Apache in mod_lua of Apache 2.4.1 (end of mod_rewrite?)
\n00-mpm.conf
\nMPM is to enable the ones you want to use.
\n? default had become prefork.
\n00-optional.conf
\nDefault are commented out in total. The setting if there is something you want to use.
\n00-proxy.conf
\nAll comment out If you do not use a proxy.
\nApache is in our environment, since the cooperation by using the Tomcat, to enable the following
\nmod_proxy
\nmod_proxy_ajp
\n00-ssl.conf
\nIf effectively to use the ssl \/ tls
\n01-cgi.conf
\nAll commented out if not using CGI
\n10-mod_security.conf
\nIf effectively utilizing the mod_seciruty
\nconf.d below the set of<\/p>\n

conf.d below the following files will be installed.
\n? mod_security.conf, ssl.conf each mod_security, when mod_ssl installation
\nfile name\u00a0\u00a0 \u00a0Overview
\nautoindex.conf\u00a0\u00a0 \u00a0mod_autoindex related settings. If you want to disable the directory listing, as I wrote above, Chaimashou renamed so that they are not Include either delete the file.
\nnotrace.conf\u00a0\u00a0 \u00a0TraceEnable off settings have been described.
\nThis setting for a cross-site tracing measures should be left in effect.
\nuserdir.conf\u00a0\u00a0 \u00a0mod_userdir related settings. If you do not want to use, as well as the autoindex.conf delete or rename.
\nwelcome.conf\u00a0\u00a0 \u00a0Apache default of the top page for display.
\nThis guy also let you disable and delete or rename.
\nmod_security.conf\u00a0\u00a0 \u00a0mod_security-related settings
\nssl.conf\u00a0\u00a0 \u00a0ssl \/ tls-related settings
\nmod_security.conf
\nFor mod_security, if the settings of the Apache 2.2 is okay the same.
\nIt would be OK if return the configuration file that you backed up.
\nIf LoadModule setting is described, (because it is set in the conf.modules.d \/ 10-mod_security.conf) Let’s commented out.
\nReference: protect the Web site from a vulnerability in the WAF (Web Application Firewall)
\nssl.conf
\nI think that it may be performed setting below (excerpt).
\nBasic
\nSSLProtocol all -SSLv2 -SSLv3 # SSLv2, SSLv3 is prohibited (-SSLv3 postscript)
\n# SSLCipherSuite one example (recommended security type of IPA), revised on the basis of the pre-migration configuration
\nSSLCipherSuite SSLCipherSuite DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES128-SHA256: DHE-RSA-CAMELLIA128-SHA: DHE-RSA-AES128-SHA: AES128-GCM-SHA256: AES128-SHA256: CAMELLIA128-SHA: AES128-SHA: DHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-SHA256: DHE-RSA-CAMELLIA256-SHA: DHE-RSA-AES256-SHA: AES256-GCM-SHA384: AES256-SHA256: CAMELLIA256- SHA: AES256-SHA
\nPriority specified SSLHonorCipherOrder on # cipher suite<\/p>\n

# Various certificate-related file settings – describes the pre-migration configuration
\nSSLCertificateFile …
\nSSLCertificateKeyFile …
\nSSLCACertificateFile …<\/p>\n

# HTTP Strict Transport Security (HSTS) setting – if necessary
\nHeader always set Strict-Transport-Security “max-age = 15768000; includeSubDomains”
\nActual SSLCipherSuite the SSL \/ TLS setting (2015\/5) of the Web server , please also reference per.<\/p>\n

OCSP Stapling
\nBecause became possible OCSP Stapling set in the Apache 2.3.3 or later, this setting also enables.
\nReference: Apache – Enable OCSP Stapling
\nSSLUseStapling on
\nSSLStaplingResponderTimeout 5
\nSSLStaplingReturnResponderErrors off
\nSSLStaplingCache shmcb: \/ var \/ run \/ ocsp (128000)
\nWhether OCSP Stapling is enabled, you can check with the following command (Please change as appropriate host name).
\n$ Openssl s_client -connect localhost: 443 -tls1 -status | head
\n…
\nOCSP response:
\n======================================
\nOCSP Response Data:
\nOCSP Response Status: successful (0x0)
\nResponse Type: Basic OCSP Response
\nVersion: 1 (0x0)
\n…
\nIf OCSP Stapling is invalid, it is output as follows.
\nOCSP response: no response sent<\/p>\n

DH Parameter
\nIf the Apache 2.4.8 migration, Logjam Attack measures , but I thought for performing a particular configuration of the following parameters DH, which is one of the,
\nSSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}”
\nopenssl could not be required there setting or later 1.0.2.
\n? In article writing is openssl of the Amazon Linux 1.0.1k-10.87<\/p>\n

Public Key Pinning
\nPublic Key Pinning also I wanted to try to set, that the second pin of the specified for Examining backup is essential and, because it is likely to Dohamari in operation and not from the falling neatly the procedure \/ system this time, we removed from the configuration.
\nReference: Public Key Pinning<\/p>\n

Other Settings
\nSetting of the Web application, returns from the backup destination settings other than the above.
\nCheck the settings<\/p>\n

When you are finished editing the settings Make sure that there is no problem.
\n$ Sudo httpd -t
\nSyntax OK
\nTomcat8 setting<\/p>\n

Edit the configuration file<\/p>\n

And edit it as needed.
\ntomcat8.conf
\nEdit the \/usr\/share\/tomcat8\/conf\/tomcat8.conf (following excerpt).
\n? JAVA_OPTS is edited for Magnolia CMS
\nJAVA_OPTS=”- server -Dfile.encoding=UTF-8 -Xmx512m -Xminf0.1 -Xmaxf0.3 -Djava.library.path=\/usr\/lib”
\nLANG = “ja_JP.UTF-8”<\/p>\n

? MaxPermSize option of support was removed from the specified as it was no longer a Java8.
\nlogging.properties<\/p>\n

Edit the \/usr\/share\/tomcat8\/conf\/logging.properties (following excerpt).
\nNormal console handler as long as not a development environment will remove because it is unnecessary.
\n# .handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
\n.handlers = 1catalina.org.apache.juli.AsyncFileHandler
\nConfiguration file other than the above is also appropriately set in accordance with the requirements of the application.
\nDeploying Applications<\/p>\n

Deploy the application that has been backed up.
\n\/usr\/share\/tomcat8\/webapps to copy the application that had been backed up to under the directory.
\nAfter copying the tomcat ownership: Change in tomcat.
\n(The following is the case of webapps \/ ROOT application)
\n$ Sudo chown tomcat:tomcat \/usr\/share\/tomcat8\/webapps\/ROOT -R
\nStarting the Server<\/p>\n

When you have finished setting the start the server.
\nLet’s also automatic startup settings as needed.
\nTomcat8<\/p>\n

$ Sudo \/etc\/rc.d\/init.d\/tomcat8 start
\nApache2.4<\/p>\n

$ Sudo \/etc\/rc.d\/init.d\/httpd start
\nConfirmation<\/p>\n

When you start the server, let’s check the operation.
\nCheck the operation of the application<\/p>\n

First, let’s see if Web site, the Web application is running correctly.
\nSSL \/ TSL setting confirmation<\/p>\n

Let whether to confirm or SSL \/ TLS settings are properly adapted.
\nFor SSL \/ TLS settings of the server can be at the following site.
\nSSL Server Test – QUALYS SSL LABS
\nI was able to confirm that that is a valid OCSP stapling also in the above site.
\nAlso try to run again check made in Logjam Attack measures.
\nBelow you can check the site.
\nGuide to Deploying Diffie-Hellman for TLS
\nAlthough pre-migration is DHE had become a warning for a Common 1024-bit Prime, after the migration is 2048-bits next to the warning display has disappeared.
\nSummary<\/p>\n

Our company was able to successfully upgrade the above procedure.
\nAnd after the operation verification reassign the Elastic IP, server migration is complete.
\nOr there is no 1024-bit limit of DH parameters in it to migrate to 2.4.x from 2.2.x, and or can be added to OCSP Stapling setting, I think it will be said to have become a little configurations of the more problematic in terms of security.
\nI think also there is to try the migration aimed at the improvement of the security aspects.<\/p>\n","protected":false},"excerpt":{"rendered":"

Migrating the Apache from 2.2 to 2.4 and write the procedure.<\/p>\n

Also I think it can be used as SSL \/ TLS security setting example (2015).<\/p>\n

table of contents Introduction environment Preliminary preparation Package Upgrade Apache2.4 setting Tomcat8 setting Starting the Server Confirmation Summary Related article Introduction<\/p>\n

May Logjam Attack on measures to, (or higher […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6311"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6311"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6311\/revisions"}],"predecessor-version":[{"id":6312,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6311\/revisions\/6312"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}