Apache 2

Apache 2

Here are the CLI commands to install Apache 2. This will give you the apt/source repository setup to keep Apache 2 up to date.

How to install Apache 2

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2

Location of the configuration files

sudo vi /etc/apache2/apache2.conf #Debian/Ubuntu systems
sudo vi /etc/httpd/conf/httpd.conf #RHEL/CentOS systems

Security components to add to the apache 2 configuration files

ServerTokens Prod
ServerSignature Off

Configurations you need to set into Apache2

Enable SSL on Apache2

sudo a2enmod ssl
sudo a2enmod headers

sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm

sudo servicectl restart apache2

conf file

<IfModule mod_ssl.c>
# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/learningwp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:/var/log/apache2/learningwp.scsiraidguru.com/ssl_scache(512000)

Mutex file:/var/log/apache2/learningwp.scsiraidguru.com/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog  builtin

<VirtualHost *:80>
         ServerName learningwp.scsiraidguru.com
         Redirect permanent / https://learningwp.scsiraidguru.com/
</VirtualHost>

<VirtualHost *:443>
        ServerName learningwp.scsiraidguru.com
        ServerAdmin mike.mckenney@scsiraidguru.com
        DocumentRoot /var/www/learningwp.scsiraidguru.com/public_html
        SSLEngine On
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
        SSLOCSPEnable on
        SSLUseStapling on
        SSLOCSPResponseMaxAge 900
        SSLOCSPResponseTimeSkew 300
        SSLStaplingReturnResponderErrors off
        SSLStaplingErrorCacheTimeout 60
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        Header set X-XSS-Protection "1; mode=block"
        Header set Referrer-Policy "origin"
        ErrorLog /var/log/apache2/learningwp.scsiraidguru.com/error.log
        CustomLog /var/log/apache2/learningwp.scsiraidguru.com/access.log combined
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCACertificateFile /etc/letsencrypt/live/patrickmckenneylandscaping.com/chain.pem
        SSLCertificateFile /etc/letsencrypt/live/patrickmckenneylandscaping.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/patrickmckenneylandscaping.com/privkey.pem
</VirtualHost>


## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2
Protocols h2 h2c http/1.1 acme-tls/1
#
SSLOpenSSLConfCmd Groups sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:brainpoolP512r1:brainpoolP384r1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384

SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off

## Permission for our DocumentRoot  ##
<Directory /var/www/learningwp.scsiraidguru.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        </Directory>
</IfModule>