Apache httpd Server Configuration Hardening

Author: Ally

Table of Contents

  1. Deprecated Encryption Protocol & Cipher
  2. Information Disclosure

Some things from a security audit that were brought up and can effect many sites by default.

Deprecated Encryption Protocol & Cipher


nmap --script ssl-enum-ciphers \
    -p 443 \

Alternatively, and more in-depth: https://www.ssllabs.com/ssltest/


Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 09:45 BST
Nmap scan report for [redacted]
Host is up (0.023s latency).
Other addresses for [redacted] (not scanned): [redacted]

443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds


The systems support a deprecated TLS encryption protocol and associated cipher.

The cryptographic protocols and ciphers supported by some applications can undermine the secure communication between the server and the client.


The easy way, following https://httpsiseasy.com/

Basically enabling TLS 3, and setting minimum TLS version to TLS 1.2. (TLS 1.3 support is good but not massive).

Go to SSL/TLS -> Edge Certificates

Enable TLS 1.3

Set Minimum TLS 1.2

Now run the script again with these changes:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 10:19 BST
Nmap scan report for [redacted]
Host is up (0.019s latency).
Other addresses for [redacted] (not scanned): [redacted]

443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

Information Disclosure


Information about the backend server and associated system is exposed through error disclosure. This may allow an attacker to perform tailored attacks against such components if found vulnerable.


Server responses may reveal information about the version of the backend system components.


Edit the server version value from the response header and create a custom error page, so that should any error occur, the custom page will be displayed rather than the default error messages.


Add to top of a config file, e.g.:


ServerTokens Prod
ServeSignature Off

More info on:

apache2ctl configtest and systemctl reload apache2 if all good.

Adding extra security headers.


sudo a2enmod headers
sudo systemctl restart apache2
sudo apache2ctl configtest

Within the <VirtualHost> directive of a config file, e.g.:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options "deny"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "same-origin"

More info on:

Summary of suggested headers from securityheaders.com:

Verify the results:

$ curl --include --location --head website.com
HTTP/2 200 
date: Tue, 09 Jun 2020 10:05:19 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=[redacted]; expires=Thu, 09-Jul-20 10:05:19 GMT; path=/; domain=[redacted]; HttpOnly; SameSite=Lax
strict-transport-security: max-age=63072000; includeSubdomains;
x-frame-options: deny
x-content-type-options: nosniff
referrer-policy: same-origin
cache-control: no-cache, private
cf-cache-status: DYNAMIC
cf-request-id: [redacted]
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: [redacted]

Harder to see, but can try and come up with some screenshots for this.

Some nmap things that might be interesting.

yq: Command-line YAML/XML processor - jq wrapper for YAML and XML documents

sudo apt install jq
pip3 install yq

nmap -Ox out.xml ..
cat out.xml | xq '.nmaprun.host.ports.port.script'
A nicer, more efficient terminal experience with tmux and tmuxinator.
Integrating Some PHP QA Tools
To bottom
To top
< SM
max-width: 640px