Support: Created page with "* Unneeded/unused modules (in httpd.conf) must be disabled. * Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use..."

2017-05-10T02:47:47Z

Created page with "* Unneeded/unused modules (in httpd.conf) must be disabled. * Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use..."

New page

* Unneeded/unused modules (in httpd.conf) must be disabled.
* Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use a conf.d-run directory instead of conf.d).
* Unused features (CGI/SSI/etc) must be disabled.
* Directory listing from / (recursive from / on filesystem, i.e. not confined to document_root) must be disabled.
* Server side TRACE/TRACK must be disabled, to minimize the attack surface of the apache authentication stack.
* Any URL requiring authentication must use https.
* Management/Status/Configuration pages such as; apache-info, apache-status, balancer-manager, jmx-console, web-console, etc. must be disallowed for any externally accessed URL's.
* Name & URL's must be masked so that only the IP info is shown for any externally accessed URL's (see "mask server name & URL's" in "Vhost Example" section under "Apache").
* A CentOS 7 Secure image must be used for web servers or proxy servers.
* The configuration file must utilize the following approved SSL settings:
** SSLProtocol all -SSLv2 -SSLv3
** Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
** Header onsuccess set Strict-Transport-Security "max-age=15768000;includeSubDomains"
** SSLInsecureRenegotiation off
** SSLHonorCipherOrder on
** SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Template:Apache-Policy - Revision history

Support: Created page with "* Unneeded/unused modules (in httpd.conf) must be disabled. * Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use..."