Tuesday, January 20, 2015

No more poodles! Part II

On previous post I've left you right after Apache HTTP 2.4 installation. We have few steps to complete.

Configure Apache 2.4 


Apache 2.4 has different set of packages and it’s not compatible with some old modules (i.e. mod_perl). Even if we will not use old system configuration it's a good time to make system backup (or take system snapshot).  As minimum make copy of /etc/httpd directory

#tar zcvf etc-httpd.tgz /etc/httpd
#tar zcvf etc-initd.tgz /etc/init.d

Now we should point system to new Apache HTTP server inaries.

Open for edit file /etc/init.d/httpd. Point httpd and apachectl variables to the new binaries as below

apachectl=/usr/local/apache2/bin/apachectl
httpd=/usr/local/apache2/bin/httpd

Save changes.  Now change configuration files to enable necessary modules.

In the file /usr/local/apache2/conf/httpd.conf:

Uncomment 

Line         Text

85  LoadModule cache_module modules/mod_cache.so
88  LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
114 LoadModule proxy_module modules/mod_proxy.so
117 LoadModule proxy_http_module modules/mod_proxy_http.so
128 LoadModule ssl_module modules/mod_ssl.so
147 LoadModule rewrite_module modules/mod_rewrite.so
480 Include conf/extra/httpd-ssl.conf

Modify logs path

265 ErrorLog "/var/log/httpd/error_log"
294 CustomLog "/var/log/httpd/access_log" common

Append to the end (there is should be your configuration file)

480 Include conf/apex/apex.conf

For SSL configuration I prefer to keep all global parameters in standard file and separate virtual host definitions.
In sake of document size I have removed all standard comments from default httpd-ssl.conf and kept essentials.

File  /usr/local/apache2/conf/extra/http-ssl.conf:

<IfModule ssl_module> 
   Listen 443 
   SSLCipherSuite HIGH:MEDIUM 
   SSLProtocol All -SSLv2 -SSLv3 
   SSLPassPhraseDialog  builtin 

   SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" 
   SSLSessionCacheTimeout  300 

   SSLCertificateFile "/etc/httpd/conf/server-cert.pem" 
   SSLCertificateKeyFile "/etc/httpd/conf/server-key.pem" 

   <FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch> 
   <Directory "/usr/local/apache2/cgi-bin">SSLOptions +StdEnvVars</Directory> 

   BrowserMatch "MSIE [2-5]" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0 
    CustomLog "/usr/local/apache2/logs/ssl_request_log" \ 
</IfModule>

Configure reverse proxy for Oracle Apex.

We are on the final stage and ready to seal our system with high-end SSL protection. Let’s create a
separate configuration file for our apex application:

#mkdir /usr/local/apache2/conf/apex
#vi /usr/local/apache2/conf/apex/apex.conf

Now create new content for configuration as below:

<VirtualHost *:80>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  Redirect permanent / https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<IfModule ssl_module>
 <VirtualHost *:443>
   SSLEngine on 
   DocumentRoot "/usr/local/apache2/htdocs" 
   ServerName <yor.server.name.com> 
   ServerAdmin <yormail@server.name.com> 
   ErrorLog /var/log/httpd/apex-error_log 
   CustomLog /var/log/httpd/apex-access_log common 
   
   RewriteEngine On 
   RewriteRule ^/$ /apex/f?p=4500:1000 [R=301]
   ProxyRequests On 
   <Proxy *> 
     Order allow,deny 
     Allow from all
   </Proxy>
   ProxyPass / http://localhost:8080/
   ProxyPassReverse / http://localhost:8080/
  </VirtualHost>
</IfModule>


Save the results and try to start httpd server.

# service httpd start
Starting httpd:                                            [  OK  ]

Let’s check system status:

# /usr/local/apache2/bin/apachectl status

               Apache Server Status for localhost (via 127.0.0.1)
   Server Version: Apache/2.4.10 (Unix) OpenSSL/1.0.1k
   Server MPM: event
   Server Built: Jan 18 2015 19:49:52
   ---------------------------------------------------------------------------
   Current Time: Tuesday, 20-Jan-2015 10:00:28 EST
   Restart Time: Tuesday, 20-Jan-2015 09:07:43 EST
   Parent Server Config. Generation: 1
   Parent Server MPM Generation: 0
   Server uptime: 52 minutes 44 seconds
   Server load: 0.00 0.00 0.00
   Total accesses: 0 - Total Traffic: 0 kB
   CPU Usage: u0 s0 cu0 cs0
   0 requests/sec - 0 B/second -
   1 requests currently being processed, 74 idle workers
   +---------------------------------------------------------------------------+
   |       |    Connections    |   Threads   |        Async connections        |
   |  PID  |-------------------+-------------+---------------------------------|
   |       | total | accepting | busy | idle | writing | keep-alive | closing ||
   |-------+-------+-----------+------+------+---------+------------+---------||
   |15639  |0      |yes        |0     |25    |0        |0           |0        ||
   |-------+-------+-----------+------+------+---------+------------+---------||
   |15641  |0      |yes        |0     |25    |0        |0           |0        ||
   |-------+-------+-----------+------+------+---------+------------+---------||
   |15643  |0      |yes        |1     |24    |0        |0           |0        ||
   |-------+-------+-----------+------+------+---------+------------+---------||
   |Sum    |0      |           |1     |74    |0        |0           |0        ||
   +---------------------------------------------------------------------------+
 __________________________________________________W_____________
 ___________.....................................................
 ................................................................
 ................................................................
 ................................................................
 ................................................................
 ................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process
Now we have Apache HTTP Server 2.4 up and running. Let’s check application access through SSL.

Now we have Apache HTTP Server 2.4 up and running. Let’s check application access through SSL.

Restrict access to applications.

To disable or limit access with plain protocols we need to protect ports on system level with iptables
firewall. For the first of all let’s check if firewall enabled on your system. You can do it form X session  with command:

# system-sconfig-securitylevel

Or check service iptables status:

# service iptables status

If firewall is disabled on your system I would recommend enable it from security level configuration utility and the modify /etc/sysconfig/iptables file.

It will give you something similar to rules set below:

# Generated by iptables-save v1.2.11 on Tue Jan 20 10:56:55 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s localhost  --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s <YOR-IP-ADDRESS>  --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW  --dport 8080 -j REJECT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jan 20 10:56:55 2015

You may put additional permissions and restrictions, just remember that rule precedence is extremely important.

Restart iptables service with command:

# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]


Check if our new rules are in place

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:8080
ACCEPT     tcp  --  <your-ip>            0.0.0.0/0           tcp dpt:8080
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Results

Open in Chrome browser (it has the most strict policies and provides more information about SSL connection) you server URL with /apex path in it. You should get Oracle XE login page as below:

If we check protocol and cipher status you will see TLS 1.2 and strong ciphers from OpenSSL 1.0
As result we have:


  • Application HTTP port is not available outside of the box.
  • Server accepts HTTP requests and converts it to HTTPS
  • Application available on HTTPS port 
  • Only TLS protocols are available 
  • Only strong cipher suites are available.

Case solved, have fun.
Post a Comment