Tweaking Apache for new realities

Just some notes on things to change in the default Apache config beyond what I’ve discussed before on this blog.

1. First, if you’re serving up HTTPS from your Apache server, you’ll want to exclude SSLv3 support.

The default SSLProtocol directive usually looks like this:

SSLProtocol all -SSLv2

To be safe from the POODLE exploit of SSLv3, you’ll want to modify it to look like this:

SSLProtocol all -SSLv2 -SSLv3

See “SSLProtocol Directive” under Apache Module mod_ssl in the Apache 2.2 doc. The Apache 2.4 doc has the new default as

SSLProtocol TLSv1

but I’m more comfortable with the old way of doing things (since it implicitly includes additional support for TLSv1.1 and TLSv1.2 without having to list them explicitly).

The old objection that not all browsers support the newer (TLS) protocols is now considerably outdated, as all current browsers support at least TLSv1.

2. For Apache 2.4.x and beyond, you’ll also want to remove any NameVirtualHost statements, because that directive has been dropped and its presence will only result in ugly and embarrassing error messages. The thinking apparently is that name based virtual hosts have become the standard and there’s no real point to making admins go through explicitly turning on support for them.

3. If you want to support multiple SSL name virtual hosts on the same server, you should add the following directives before your virtual host blocks:

NameVirtualHost *:443
SSLStrictSNIVHostCheck off

The NameVirtualHost directive should be omitted from configurations for Apache 2.4.x and later (see section 1 above).

The SSLStrictSNIVHostCheck directive tells the server to relax the rules for using SNI (Server Name Indication), the magic behind name based virtual hosting, so that it can be used for HTTPS hosting. If it is omitted Apache may throw an error and only serve up the first listed host. Eventually I’d expect this requirement to go away since all modern browsers now support SNI. For now the effect of turning off strict checking will be that the server will route any ancient browser that doesn’t support SNI to the first name based virtual host as the default.

There is a technical discussion covering this in Apache’s wiki entitled SSL with Virtual Hosts Using SNI.

This entry was posted in System Administration, Web on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).