Configure Apache 2.4
Apache 2.4 has different set of packages and it’s not compatible with some old modules (i.e. mod_perl). Even if we will not use old system configuration it's a good time to make system backup (or take system snapshot). As minimum make copy of /etc/httpd directory
#tar zcvf etc-httpd.tgz /etc/httpd
#tar zcvf etc-initd.tgz /etc/init.d
Now we should point system to new Apache HTTP server inaries.
Open for edit file /etc/init.d/httpd. Point httpd and apachectl variables to the new binaries as below
apachectl=/usr/local/apache2/bin/apachectl
httpd=/usr/local/apache2/bin/httpd
Save changes. Now change configuration files to enable necessary modules.
In the file /usr/local/apache2/conf/httpd.conf:
Uncomment
Line Text
85 LoadModule cache_module modules/mod_cache.so
88 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
114 LoadModule proxy_module modules/mod_proxy.so
117 LoadModule proxy_http_module modules/mod_proxy_http.so
128 LoadModule ssl_module modules/mod_ssl.so
147 LoadModule rewrite_module modules/mod_rewrite.so
480 Include conf/extra/httpd-ssl.conf
Modify logs path
265 ErrorLog "/var/log/httpd/error_log"
294 CustomLog "/var/log/httpd/access_log" common
Append to the end (there is should be your configuration file)
480 Include conf/apex/apex.conf
For SSL configuration I prefer to keep all global parameters in standard file and separate virtual host definitions.
In sake of document size I have removed all standard comments from default httpd-ssl.conf and kept essentials.
File /usr/local/apache2/conf/extra/http-ssl.conf:
<IfModule ssl_module>
Listen 443
SSLCipherSuite HIGH:MEDIUM
SSLProtocol All -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLCertificateFile "/etc/httpd/conf/server-cert.pem"
SSLCertificateKeyFile "/etc/httpd/conf/server-key.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">SSLOptions +StdEnvVars</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache2/logs/ssl_request_log" \
</IfModule>
Configure reverse proxy for Oracle Apex.
We are on the final stage and ready to seal our system with high-end SSL protection. Let’s create aseparate configuration file for our apex application:
#mkdir /usr/local/apache2/conf/apex
#vi /usr/local/apache2/conf/apex/apex.conf
Now create new content for configuration as below:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Redirect permanent / https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<IfModule ssl_module>
<VirtualHost *:443>
SSLEngine on
DocumentRoot "/usr/local/apache2/htdocs"
ServerName <yor.server.name.com>
ServerAdmin <yormail@server.name.com>
ErrorLog /var/log/httpd/apex-error_log
CustomLog /var/log/httpd/apex-access_log common
RewriteEngine On
RewriteRule ^/$ /apex/f?p=4500:1000 [R=301]
ProxyRequests On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ProxyPassReverse / http://localhost:8080/
</VirtualHost>
</IfModule>
Save the results and try to start httpd server.
# service httpd start
Starting httpd: [ OK ]
Let’s check system status:
# /usr/local/apache2/bin/apachectl status
Apache Server Status for localhost (via 127.0.0.1)
Server Version: Apache/2.4.10 (Unix) OpenSSL/1.0.1k
Server MPM: event
Server Built: Jan 18 2015 19:49:52
---------------------------------------------------------------------------
Current Time: Tuesday, 20-Jan-2015 10:00:28 EST
Restart Time: Tuesday, 20-Jan-2015 09:07:43 EST
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 52 minutes 44 seconds
Server load: 0.00 0.00 0.00
Total accesses: 0 - Total Traffic: 0 kB
CPU Usage: u0 s0 cu0 cs0
0 requests/sec - 0 B/second -
1 requests currently being processed, 74 idle workers
+---------------------------------------------------------------------------+
| | Connections | Threads | Async connections |
| PID |-------------------+-------------+---------------------------------|
| | total | accepting | busy | idle | writing | keep-alive | closing ||
|-------+-------+-----------+------+------+---------+------------+---------||
|15639 |0 |yes |0 |25 |0 |0 |0 ||
|-------+-------+-----------+------+------+---------+------------+---------||
|15641 |0 |yes |0 |25 |0 |0 |0 ||
|-------+-------+-----------+------+------+---------+------------+---------||
|15643 |0 |yes |1 |24 |0 |0 |0 ||
|-------+-------+-----------+------+------+---------+------------+---------||
|Sum |0 | |1 |74 |0 |0 |0 ||
+---------------------------------------------------------------------------+
__________________________________________________W_____________
___________.....................................................
................................................................
................................................................
................................................................
................................................................
................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Now we have Apache HTTP Server 2.4 up and running. Let’s check application access through SSL.
Now we have Apache HTTP Server 2.4 up and running. Let’s check application access through SSL.
Restrict access to applications.
To disable or limit access with plain protocols we need to protect ports on system level with iptables
firewall. For the first of all let’s check if firewall enabled on your system. You can do it form X session with command:# system-sconfig-securitylevel
Or check service iptables status:
# service iptables status
If firewall is disabled on your system I would recommend enable it from security level configuration utility and the modify /etc/sysconfig/iptables file.
It will give you something similar to rules set below:
# Generated by iptables-save v1.2.11 on Tue Jan 20 10:56:55 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s localhost --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s <YOR-IP-ADDRESS> --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW --dport 8080 -j REJECT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jan 20 10:56:55 2015
You may put additional permissions and restrictions, just remember that rule precedence is extremely important.
Restart iptables service with command:
# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
#
Check if our new rules are in place
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- <your-ip> 0.0.0.0/0 tcp dpt:8080
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Results
Open in Chrome browser (it has the most strict policies and provides more information about SSL connection) you server URL with /apex path in it. You should get Oracle XE login page as below:
If we check protocol and cipher status you will see TLS 1.2 and strong ciphers from OpenSSL 1.0
As result we have:- Application HTTP port is not available outside of the box.
- Server accepts HTTP requests and converts it to HTTPS
- Application available on HTTPS port
- Only TLS protocols are available
- Only strong cipher suites are available.
Case solved, have fun.
No comments:
Post a Comment