Securing your Apache 2.x Server

SSL and PCI Compliance

Your SSL configuration should have the following options:

# This disables old, vulnerable SSL versions (SSLv2):
SSLProtocol -ALL +SSLv3 +TLSv1

# This disables WEAK and MEDIUM strength ciphers:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT

Testing Apache 2.x for SSLv2 Support

From a command prompt, run this command, making sure to enter your domain name and the port you want to check (default HTTP over SSL- 443):

openssl s_client -connect YOUR-DOMAIN-NAME-GOES-HERE:THE-PORT-NUMBER-GOES-HERE -ssl2

You should get back something like this:

CONNECTED(00000003)
82841:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s2_pkt.c:428:

If you get back something else that looks like it worked/is doing something, then you have SSLv2 enabled, which is *bad*.

PHP Settings

; This causes the X-Powered-By: PHP header to now show up in outgoing HTTP headers
expose_php = Off

; Don't show errors to the end-user
display_errors = Off
sysadmin_apache2.txt · Last modified: 2013/01/21 12:44 (external edit)