logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: HSTS Configuration on Apache 2.4.25 on Linux box
Author
vyvarya



Joined: 08 May 2019
Posts: 2

PostPosted: Wed 08 May '19 17:17    Post subject: HSTS Configuration on Apache 2.4.25 on Linux box Reply with quote

We are using Apache middle-ware for customer to connect their external portal to our SAP system. The Apache version we are using is Apache 2.4.25 (RedHat).

Recently Customer security team has raised a request to implement HSTS (HTTP Strict Transport Security) on our Apache system that is connected to our SAP system.

Can the experts please help with the configuration steps. Please note that SSL is already implemented on Apache server hence that is not required. I have gone through the google links but its all given for older apache versions.

I am specifically looking for Apache 2.4.25.

Thanks
Vivek Arya
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 08 May '19 18:48    Post subject: Reply with quote

make sure mod_headers is loaded then add the HSTS header in the config

Code:
Header always set Strict-Transport-Security "max-age=63072000;"
Back to top
vyvarya



Joined: 08 May 2019
Posts: 2

PostPosted: Thu 09 May '19 11:32    Post subject: Reply with quote

Hello Glsmith,

The below mentioned parameter has already been set with MOD_HEADERS.SO active in httpd.conf file. Still when I am running CURL command to check the configuration its returning "NOTHING".
Below is what is configured in httpd.conf file. Not sure what I am missing here. Is there any other configuration or some other file needs to be changed.

Code:
#Modules
Include conf.modules.d/*.conf

#Virtual host block
<VirtualHost IP:443>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ServerName "Customer URL"


HostnameLookups Off
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On
#RewriteLogLevel 1
RequestHeader set ClientProtocol HTTPS
AllowEncodedSlashes      on
TraceEnable off

SSLEngine on
SSLProtocol -All +TLSv1.1 TLSv1.2
SSLInsecureRenegotiation off
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!L
OW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

SSLCertificateFile <Certificate Path>.crt
SSLCertificateKeyFile <certificate key path>.key
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 12 May '19 19:34    Post subject: Reply with quote

Sorry for the delay, was out of town.

Yes, there are some ciphers that are not forward secrecy. I can't tell you which.

Instead of trusting curl, try this test:
https://www.ssllabs.com/ssltest/

I use these and get forward secrecy always.
Code:
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
Back to top


Reply to topic   Topic: HSTS Configuration on Apache 2.4.25 on Linux box View previous topic :: View next topic
Post new topic   Forum Index -> Apache