After setting up the SSL certificate, configuring Perfect Forward Secrecy and HSTS for your HTTPS site are incredibly important steps. It can be pretty daunting, however, and adding the wrong settings to your apache2.conf can even completely disable your entire site. Using this guide, you can easily configure these important security settings on Apache.
Perfect Forward Secrecy
PFS basically means that the computer generates a new key each time it passes information back and forth. If a key becomes compromised, the attacker can only access a small amount of information.
PFS is a feature provided by the web server and is configured through conf files. Open the Apache configuration file at
/etc/apache2/apache2.conf
with your choice of text editor and navigate to the bottom.
You should have a section with SSL directives. The default on Debian 8 contained these:
SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
I commented the second line out and replaced it with these two:
SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256
After saving the conf file, I restarted apache with a
service apache2 restart
and that was that.
HSTS
HSTS stands for HTTP Strict Transport Security, which ensures that clients only interact with the web page using HTTPS. It’s a response header set in the virtual host settings of Apache that tells the browser to disregard any plain HTTP connections.
Putting this into the settings for the default virtual host sounds like the way to go but unfortunately it won’t work. It’s only configurable per domain so you’ll have to go into every virtual host conf file and add it there. Luckily that’s pretty simple; just paste a couple of lines in the correct place and we’re done.
On Debian 8, Apache is configured with a main conf file for the server and the domains/virtual hosts in other directory. Mine had this path:
/etc/apache2/sites-available/mydomain.com.conf
Open the conf file of the virtual host and search for the settings for the secured version of the site, which should be in a section starting with this (the * will probably be an IP address):
< VirtualHost *:443>
On the next line, paste the following lines:
# Guarantee HTTPS for 1 Year including Sub Domains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
This instructs the browser to only use HTTPS for connections to that domain or subdomains for a year.
A WORD TO THE WISE: if you include subdomains, you will not be able to connect to ANY web server on a subdomain, even if it’s on a remote server. HSTS requires a PROPERLY CONFIGURED CERTIFICATE – not self signed! – on every subdomain.
So, for instance, you might have your web server on mydomain.com with HSTS set up properly. Then you spin up a VPS VOIP server and set it up as a subdomain, like voip.mydomain.com. If you have a self-signed certificate (or otherwise improperly configured cert) on that remote subdomain server, you will not be able to connect to that server’s web server using HTTPS or HTTP, effectively locking you out of any web interface on the remote server. Ask me how I know!
Even though it’s a remote server, your browser sees the HSTS settings on the main domain and will refuse to allow ANYONE to connect. You won’t even be offered the opportunity to add an exception!
To undo this, simply remove the
includeSubDomains
directive from the above code snippet and restart Apache.
Be aware of this!
With that warning out of the way, go ahead and restart Apache with a
service apache2 restart
and you are done. Bask in the glow of industry standard web security!