themactep

a collection of miscellaneous projects of Paul Philippov

Apache Useful Tips

How to generate a domain key and a certificate request

$ openssl req -new -newkey rsa:2048 -nodes -sha256 \
 -out domain_tld.csr -keyout domain_tld.key \
 -subj "/C=US/ST=State/L=City/O=My Corp/OU=IT/CN=domain.tld/emailAddress=admin@domain.tld"

How to make a bundle from COMODO certificates

$ cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt \
  AddTrustExternalCARoot.crt > domain_name.ca-bundle

How to build a chained SSL certificate

$ cat domain_name.crt domain_name.ca-bundle > domain_name_tree.crt

or, in case of a set of separate COMODO certificates:

$ cat domain_name.crt COMODORSADomainValidationSecureServerCA.crt \
  COMODORSAAddTrustCA.crt > domain_name_tree.crt

How to display contents of an SSL certificate

$ openssl x509 -in certificate.pem -text

How to test SNI SSL Certificates

$ openssl s_client -connect domainname.tld:443 -servername domainname.tld

How to secure a web server by obscuring software identity

$ sudo -s
# a2enmod headers
# echo '
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header always unset X-Powered-By
Header always unset X-Runtime
' > /etc/apache2/conf-enabled/security-override.conf
# apache2ctl -k restart
# exit

How to use web fonts from an external domain

$ sudo -s
# echo '
AddType font/ttf .ttf
Header set Access-Control-Allow-Origin "*"
' >> /path/to/website/public/fonts/.htaccess
# exit

How to install a trusted SSL certificate

$ sudo -s
# mv filename.crt /usr/local/share/ca-certificates
# update-ca-certificates
# exit

How to delete a trusted SSL certificate

$ sudo -s
# rm /usr/local/share/ca-certificates/filename.crt
# update-ca-certificates --fresh
# exit

How to have valid HTML5 whilst forcing IE to use lastest rendering engine

$ sudo -s
# echo 'Header set X-UA-Compatible "IE=edge"' >> /etc/apache2/conf-available/headers.conf
# a2enmod headers
# a2enconf headers
# apache2ctl -k restart
# exit

How to block abusive pingdom.com bots

$ GET https://www.pingdom.com/rss/probe_servers.xml | \
awk -F"[><]" '/:ip/ {print $3;}' | \
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
sed "s/^/ALL: /" | \
sudo tee -a /etc/hosts.deny

How to enhance Apache security and reduce server load

Add following lines to Apache security config. Adjust as needed.

# OBSCURE SERVER ENVIRONMENT
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header always unset X-Powered-By
Header always unset X-Runtime

# BLOCK EVIL USER-AGENTS
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent Java keep_out
SetEnvIfNoCase User-Agent Jorgee keep_out
SetEnvIfNoCase User-Agent MaMa keep_out
SetEnvIfNoCase User-Agent Morfeus keep_out
SetEnvIfNoCase User-Agent panscient.com keep_out
SetEnvIfNoCase User-Agent Python-urllib keep_out
SetEnvIfNoCase User-Agent revolt keep_out
SetEnvIfNoCase User-Agent "Toata dragostea mea pentru diavola" keep_out
SetEnvIfNoCase User-Agent "Toata dragostea mea pentru iEdi" keep_out
SetEnvIfNoCase User-Agent ZmEu keep_out

<Directory /var/www/>
  <RequireAny>
    <RequireAll>
      Require all granted
      Require not env keep_out
    </RequireAll>
  </RequireAny>
</Directory>

# BLOCK REQUESTS FROM INTRUDERS
RedirectMatch 403 /\$\&
RedirectMatch 403 /\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 /(=|_mm|cgi|cvs|dbscripts|jsp|rnd|userfiles)
RedirectMatch 403 (https?|mailto)\:
RedirectMatch 403 \.(aspx?|dll|htc|htm|php)(\?|$)
RedirectMatch 403 (?i)/(eweb|cute|f?ck|kind|u)editor
RedirectMatch 403 (?i)/(drupal|forum|horde|joomla|pma|phpmyadmin|round|typo3|web(dav|mail)|wordpress|wp(-admin)?)(/|$)
RedirectMatch 403 (?i)/((change)?log|(dev)?info|documentation|history|install|licen[cs]e|readme|ver(sion)?)(\.txt|$)
RedirectMatch 403 /(HNAP1|w00tw00t|\+\+)

# REDIRECT BROKEN REQUESTS
RedirectMatch 301 /.google-analytics.com/ga.js https://www.google-analytics.com/ga.js
RedirectMatch 301 /__utm.gif https://www.google-analytics.com/__utm.gif

How to force SSL access and secure WordPress installation

<VirtualHost *:80>
  ServerName domain.tld
  ServerAlias www.domain.tld

  RewriteEngine On 
  RewriteCond %{HTTPS} !=on 
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VisrtualHost>

<VirtualHost *:443>
  ServerName domain.tld
  ServerAlias www.domain.tld
  ServerAdmin admin@domain.tld
  DocumentRoot /path/to/siteroot

  <Directory /path/to/siteroot>
    AllowOverride all
    Require all granted

    <Files "wp-login.php">
      Require all denied
      Require ip <YOUR_STATIC_IP>
    </Files>
  </Directory>

  <Location "/wp-admin/">
    Require all denied
    Require ip <YOUR_STATIC_IP>
  </Location>

  CustomLog /path/to/log/ssl-access.log combined
  CustomLog /path/to/log/ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  ErrorLog /path/to/log/ssl-error.log
  LogLevel warn

  SSLEngine on
  SSLCertificateFile /path/to/ssl/domain_tld_tree.crt
  SSLCertificateKeyFile /path/to/ssl/domain_tld.key
</VirtualHost>