Just some notes on things to change in the default Apache config beyond what I’ve discussed before on this blog.
1. First, if you’re serving up HTTPS from your Apache server, you’ll want to exclude SSLv3 support.
The default SSLProtocol directive usually looks like this:
SSLProtocol all -SSLv2
To be safe from the POODLE exploit of SSLv3, you’ll want to modify it to look like this:
SSLProtocol all -SSLv2 -SSLv3
but I’m more comfortable with the old way of doing things (since it implicitly includes additional support for TLSv1.1 and TLSv1.2 without having to list them explicitly).
The old objection that not all browsers support the newer (TLS) protocols is now considerably outdated, as all current browsers support at least TLSv1.
2. For Apache 2.4.x and beyond, you’ll also want to remove any NameVirtualHost statements, because that directive has been dropped and its presence will only result in ugly and embarrassing error messages. The thinking apparently is that name based virtual hosts have become the standard and there’s no real point to making admins go through explicitly turning on support for them.
3. If you want to support multiple SSL name virtual hosts on the same server, you should add the following directives before your virtual host blocks:
NameVirtualHost *:443 SSLStrictSNIVHostCheck off
The NameVirtualHost directive should be omitted from configurations for Apache 2.4.x and later (see section 1 above).
The SSLStrictSNIVHostCheck directive tells the server to relax the rules for using SNI (Server Name Indication), the magic behind name based virtual hosting, so that it can be used for HTTPS hosting. If it is omitted Apache may throw an error and only serve up the first listed host. Eventually I’d expect this requirement to go away since all modern browsers now support SNI. For now the effect of turning off strict checking will be that the server will route any ancient browser that doesn’t support SNI to the first name based virtual host as the default.
There is a technical discussion covering this in Apache’s wiki entitled SSL with Virtual Hosts Using SNI.