Updating, recompiling, VirtualHost templates, customizations, php safemode … I want to use different ciphers with Apache, using CustomBuild 2.0

Updating, recompiling, VirtualHost templates, customizations, php safemode … I want to use different ciphers with Apache, using CustomBuild 2.0

With the current ever evolving needs for security, good encryption cipher lists can be change regularly.

Also, the needs of those connecting that a given server may be different from box to box, eg:

 

 

 

etc.. so each case might be different.

For using different ciphers with Apache 2.x and CustomBuild 2.0, you can use the “custom” folder method to manage your own cipher lists and ssl rules.

Run the following:

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/conf/extra
cp configure/ap2/conf/extra/httpd-ssl.conf custom/ap2/conf/extra/httpd-ssl.conf

which then lets you edit:

/usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf

for changes such as:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

SSLHonorCipherOrder On

SSLCompression off

for example, if you intend a more secure list of ciphers.
Note: the SSLCipherSuite list is all one long line.

Once you have created the custom httpd-ssl.conf as desiring, you can then install it with:

cd /usr/local/directadmin/custombuild
./build rewrite_confs

To disable TLSv1.1 and only allow TLSv1.2 and TLSv1.3 on OpenLiteSpeed:

echo ‘|?SSLPROTOCOL=24|’ >> /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf.CUSTOM.pre
/usr/local/directadmin/custombuild/build rewrite_confs

Force https using an .htaccess file

If you intend to force a given website or path to use https, redirected from http, you must create an .htaccess file in the DocumentRoot for that domain or hostname, and add the following code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

In which will redirect any non-https connections to https using the same request and GET variables.

If there your site is running through CloudFlare, your https requests to it may actually hit your server in plaintext (http), which will be confusing.
For that case, you might need something like this for an http to https redirect:

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

where the only usable header is X-Forwarded-Proto, because the %{HTTPS} variable is “off” for requests from the CloudFlare network.


Globally in Apache

If you intend this applies to all domains in your server, follow these instructions:

  1. Create the global file:

    /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre

    and insert the code:

    |?SSL_REDIRECT_HOST=www.`DOMAIN`|
    |*if SUB|
    |?SSL_REDIRECT_HOST=`SUB`.`DOMAIN`|
    |*endif|
    |*if SSL_TEMPLATE=”1″|
    |?SSL_REDIRECT_HOST=|
    |*endif|

    This will tune what we want to redirect to, and blank the redirect if it’s an SSL VirtualHost

  2. Next, we want to actually use the variable, so create the file

    /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post

    and then add code:

    |*if SSL_REDIRECT_HOST!=””|
    Redirect / https://|SSL_REDIRECT_HOST|/
    |*endif|

  3. If you intent to disable this for any domain, go to:

    Admin Level -> Custom Httpd Config -> domain.com

    and in the CUSTOM token textarea, add this text

    |?SSL_REDIRECT_HOST=|

    which makes the variable blank, so it’s not used.

  4. Lastly, rewrite the configs to use it

    cd /usr/local/directadmin/custombuild
    ./build rewrite_confs

 


Nginx

If there you’re running nginx, go to:

Admin Level -> Custom Httpd Config -> domain.com

and in token |CUSTOM4|, add:

|*if SSL_TEMPLATE=”0″|
return 301 https://$host$request_uri;
|*endif|

 


HSTS

For adding security, you can tell all clients to always use https, even if there is an http link from somewhere.  HSTS will silently change the request to use https without need to be ask, so at no point is http ever using (except on the first attempt, where the browse is giving the header, then ever asks again).

To setup HSTS, so add this to your public_html/.htaccess file:

Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

Note: This means you can not connect to http again, even if you prefer to, so usually only it applies to sites that only ever use https, and never want http.

Leave a Reply

Your email address will not be published. Required fields are marked *