title: Tweaking Apache for new realities link: https://onemoretech.wordpress.com/2015/01/08/tweaking-apache-for-new-realities/ author: phil2nc description: post_id: 9141 created: 2015/01/08 10:27:35 created_gmt: 2015/01/08 15:27:35 comment_status: closed post_name: tweaking-apache-for-new-realities status: publish post_type: post

Tweaking Apache for new realities

(updated 2018/04/20)

Just some notes on things to change in the default Apache config beyond what I've discussed before on this blog.

1. First, if you're serving up HTTPS from your Apache server, you'll want to exclude both SSLv3 and TLS 1.0 support. The default SSLProtocol directive usually looks like this:

SSLProtocol all -SSLv2

To be safe from the POODLE exploit of SSLv3, you'll want to modify it to look like this:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

See "SSLProtocol Directive" under Apache Module mod_ssl in the Apache 2.2 doc.

The Apache 2.4 doc has the new default as

SSLProtocol TLSv1

but I'm more comfortable with the old way of doing things (since it implicitly includes additional support for TLSv1.1 and TLSv1.2 without having to list them explicitly).

The old objection that not all browsers support the newer (TLS) protocols is now considerably outdated, as all current browsers support at least TLSv1.1 and later.

2. For Apache 2.4.x and beyond, you'll also want to remove any NameVirtualHost statements, because that directive has been dropped and its presence will only result in ugly and embarrassing error messages. The thinking apparently is that name based virtual hosts have become the standard and there's no real point to making admins go through explicitly turning on support for them.

3. If you want to support multiple SSL name virtual hosts on the same server, you should add the following directives before your virtual host blocks:

NameVirtualHost *:443
SSLStrictSNIVHostCheck off

The NameVirtualHost directive should be omitted from configurations for Apache 2.4.x and later (see section 2 above).

The SSLStrictSNIVHostCheck directive tells the server to relax the rules for using SNI (Server Name Indication), the magic behind name based virtual hosting, so that it can be used for HTTPS hosting. If it is omitted Apache may throw an error and only serve up the first listed host.

Eventually I'd expect this requirement to go away since all modern browsers currently support SNI. For now the effect of turning off strict checking will be that the server will route any ancient browser that doesn't support SNI to the first name based virtual host as the default. There is a technical discussion covering this in Apache's wiki entitled SSL with Virtual Hosts Using SNI.

Copyright 2004-2019 Phil Lembo