Posts

Showing posts from September, 2021

Apache HTTPD with mod_ssl: Exploring configuration options

This is yet another blog post related to LPIC-3 Exam 303: Security. Knowing Apache configuration options is an important topic for Security Engineers. Apache web server is often serving web interfaces or acting as reverse proxy (for example for Splunk or Kibana). TLS configuration is an important step for securing these interfaces from eavesdropping and man-in-the-middle attacks. Let's examine Apache web server configuration with mod_ssl. TLS configuration SSL/TLS configuration file resides under /etc/httpd/conf.d/ssl.conf . SSLCertificateFile and SSLCertificateKeyFile mod_ssl directives are used to enable https.  SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"   Mutual TLS authentication To enable client authentication with certificate we need the following three directives: SSLVerifyClient : set to require , so client has to present a valid certificate SSLVerifyDepth : the ma...