Apache 2.4

Introduzione
Questo documento elenca i passi da eseguire per installare e configurare Apache 2.4 con supporto ad HTTP/2, tenendo in particolare considerazione gli aspetti legati alla sicurezza. E' disponibile un documento similare anche per la versione 2.0 di Apache. E' disponibile un documento similare anche per la versione 2.2 di Apache. Nota: The Apache HTTP Project developers strongly encourages all users to migrate to Apache stable release 2.4 or at minimum version the legacy release 2.2 as quickly as possible.

Download Dei Sorgenti
Scaricare l'ultima versione disponibile dei sorgenti di Apache httpd dal sito https://httpd.apache.org/download.cgi ed eventuali patch per tale versione da https://archive.apache.org/dist/httpd/patches/.

Di seguito verra' usata la versione 2.4.20, per cui al momento non e' disponibile nessuna patch: httpd-2.4.20.tar.gz httpd-2.4.20.tar.gz.md5

Scaricare inoltre l'ultima versione disponibile dei sorgenti di Apache Portable Runtime dal sito https://apr.apache.org/download.cgi.

Di seguito verra' usata la versione 1.5.2 di APR e la versione 1.5.4 di APR-util: apr-1.5.2.tar.gz apr-1.5.2.tar.gz.md5 apr-util-1.5.4.tar.gz apr-util-1.5.4.tar.gz.md5

Per abilitare il supporto ad HTTP/2, scaricare i sorgenti di nghttp2 dal sito https://www.nghttp2.org/.

Di seguito verra' usata la versione 1.9.2 di nghttp2: nghttp2-1.9.2.tar.gz

Variabili
Per comodita', nei passi successivi faremo uso di queste variabili: APACHE_SEC_DIR="/opt/apache_sec" HTTPD_VERSION="httpd-2.4.20" APR_VERSION="apr-1.5.2" APR_UTIL_VERSION="apr-util-1.5.4" NGHTTP2_VERSION="nghttp2-1.9.2"

Convenzioni
I binari verranno installati sotto: ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}

mentre conf, htdocs, logs e cgi-bin si troverranno sotto: ${APACHE_SEC_DIR}/httpd/conf ${APACHE_SEC_DIR}/httpd/htdocs ${APACHE_SEC_DIR}/httpd/logs ${APACHE_SEC_DIR}/httpd/cgi-bin

Filesystem dedicato
Dove possibile, e' bene creare un filesystem dedicato in cui mettere tutti i file riguardati una installazione di Apache. E' possibile aggiungere un nuovo volume cosi': lvcreate -L 4G -n apache_lv system mkfs.xfs /dev/system/apache_lv echo "/dev/system/apache_lv ${APACHE_SEC_DIR} xfs defaults,nosuid 0 0" >> /etc/fstab mkdir -p ${APACHE_SEC_DIR} mount ${APACHE_SEC_DIR}

Compilazione di nghttp2
Decomprimere i sorgenti: tar xfz ${NGHTTP2_VERSION}.tar.gz cd ${NGHTTP2_VERSION}

Installare i pacchetti necessari alla compilazione: apt install build-essential pkg-config libssl-dev libxml2-dev libxml2

Utilizzare questi parametri per la configurazione: ./configure \ --prefix=${APACHE_SEC_DIR}/bin/${NGHTTP2_VERSION} \ --enable-lib-only

Compilare i sorgenti: make -j4

Installare i binari: make install

Creare il link simbolico: ln -s ${NGHTTP2_VERSION} ${APACHE_SEC_DIR}/bin/nghttp2

Compilazione di Apache httpd
Verificare mediante il comando md5sum che l'hash dei file .tar.gz coincide con quello riportato nei file .md5: md5sum ${HTTPD_VERSION}.tar.gz ${APR_VERSION}.tar.gz ${APR_UTIL_VERSION}.tar.gz e725c268624737a163dc844e28f720d1 httpd-2.4.20.tar.gz 98492e965963f852ab29f9e61b2ad700  apr-1.5.2.tar.gz 866825c04da827c6e5f53daff5569f42  apr-util-1.5.4.tar.gz

cat ${HTTPD_VERSION}.tar.gz.md5 ${APR_VERSION}.tar.gz.md5 ${APR_UTIL_VERSION}.tar.gz.md5 e725c268624737a163dc844e28f720d1 *httpd-2.4.20.tar.gz 98492e965963f852ab29f9e61b2ad700 *apr-1.5.2.tar.gz 866825c04da827c6e5f53daff5569f42 *apr-util-1.5.4.tar.gz

Decomprimere i sorgenti: tar xfz ${HTTPD_VERSION}.tar.gz tar xfz ${APR_VERSION}.tar.gz tar xfz ${APR_UTIL_VERSION}.tar.gz mv ${APR_VERSION} ${HTTPD_VERSION}/srclib/apr mv ${APR_UTIL_VERSION} ${HTTPD_VERSION}/srclib/apr-util cd ${HTTPD_VERSION}/

Applicare eventuali patch: patch -p0 < patch.diff

Installare i pacchetti necessari alla compilazione: apt install build-essential pkg-config libldap2-dev libpcre3-dev libpcre3 libssl-dev libxml2-dev libxml2

Utilizzare questi parametri per la configurazione (se necessario, abilitare cgi e cgid): ./configure \ --prefix=${APACHE_SEC_DIR}/bin/${HTTPD_VERSION} \ --with-included-apr \ --with-ldap \ --with-mpm=event \ --with-nghttp2=${APACHE_SEC_DIR}/bin/nghttp2 \ --enable-so \ --enable-allowmethods \ --enable-authnz_ldap \ --enable-cache \ --enable-cache-disk \ --enable-deflate \ --enable-expires \ --enable-headers \ --enable-http2 \ --enable-ldap \ --enable-logio \ --enable-proxy \ --enable-proxy-ajp \ --enable-proxy-html \ --enable-proxy-http \ --enable-proxy-balancer \ --enable-lbmethod-bybusyness \ --enable-lbmethod-byrequests \ --enable-lbmethod-bytraffic \ --enable-remoteip \ --enable-reqtimeout \ --enable-rewrite \ --enable-ssl \ --enable-substitute \ --enable-unique-id \ --disable-asis \ --disable-autoindex \ --disable-negotiation \ --disable-userdir \ --disable-cgi --disable-cgid

Compilare i sorgenti: make -j4

Installare i binari: make install

Creare il link simbolico: ln -sf ${HTTPD_VERSION} ${APACHE_SEC_DIR}/bin/httpd

Creazione utente dedicato
Per ogni installazione di Apache e' bene utilizzare un utente ed un gruppo dedicati. In questo esempio utilizzeremo wwsrun: groupadd -g 108 wws useradd -u 130 -g wws -s /home/wwsrun -c "WWW daemon apache" wwsrun

Una volta creato il nuovo gruppo ed il nuovo utente e' necessario modificarne la sua home directory da /home/wwsrun a /dev/null utilizzando il comando vipw.

Impostazioni dei permessi
mkdir -p ${APACHE_SEC_DIR}/httpd/conf/extra mkdir -p ${APACHE_SEC_DIR}/httpd/conf/vhosts.d mkdir -p ${APACHE_SEC_DIR}/httpd/htdocs mkdir -p ${APACHE_SEC_DIR}/httpd/logs mkdir -p ${APACHE_SEC_DIR}/httpd/cgi-bin

chown -R root:root ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION} ${APACHE_SEC_DIR}/httpd chmod -R go-w ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION} ${APACHE_SEC_DIR}/httpd chmod -R go-rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf ${APACHE_SEC_DIR}/httpd/conf chmod -R o-rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/htdocs ${APACHE_SEC_DIR}/httpd/htdocs chmod -R o-rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/logs ${APACHE_SEC_DIR}/httpd/logs chmod -R o-rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/cgi-bin ${APACHE_SEC_DIR}/httpd/cgi-bin

chown -R root:wws ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/htdocs ${APACHE_SEC_DIR}/httpd/htdocs chown -R root:wws ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/logs ${APACHE_SEC_DIR}/httpd/logs chown -R root:wws ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/cgi-bin ${APACHE_SEC_DIR}/httpd/cgi-bin

chmod -R g+rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/htdocs ${APACHE_SEC_DIR}/httpd/htdocs chmod -R g+rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/logs ${APACHE_SEC_DIR}/httpd/logs chmod -R g+rx ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/cgi-bin ${APACHE_SEC_DIR}/httpd/cgi-bin

Copia dei file di configurazione
cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/* ${APACHE_SEC_DIR}/httpd/conf/ cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/extra/httpd-default.conf ${APACHE_SEC_DIR}/httpd/conf/extra/ cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/extra/httpd-info.conf ${APACHE_SEC_DIR}/httpd/conf/extra/ cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/extra/httpd-mpm.conf ${APACHE_SEC_DIR}/httpd/conf/extra/ cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/extra/httpd-ssl.conf ${APACHE_SEC_DIR}/httpd/conf/extra/ cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/conf/extra/proxy-html.conf ${APACHE_SEC_DIR}/httpd/conf/extra/

File httpd-default.conf
Modificare nel file ${APACHE_SEC_DIR}/httpd/conf/extra/httpd-default.conf la direttiva ServerTokens a Prod sed -i 's/^ServerTokens Full/ServerTokens Prod/g' ${APACHE_SEC_DIR}/httpd/conf/extra/httpd-default.conf

File httpd-info.conf
Modificare nel file ${APACHE_SEC_DIR}/httpd/conf/extra/httpd-info.conf la direttiva Require host a localhost sed -i 's/Require host .example.com/Require host localhost/g' ${APACHE_SEC_DIR}/httpd/conf/extra/httpd-info.conf

Commentare la sezione server-info: sed -i '/^$/,/^<\/Location>$/s/^/#/g' ${APACHE_SEC_DIR}/httpd/conf/extra/httpd-info.conf

File httpd.conf
Modificare nel file ${APACHE_SEC_DIR}/httpd/conf/httpd.conf i vari percorsi: sed -i "s+${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}+${APACHE_SEC_DIR}/httpd+g" ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i "s+_module modules/+_module ${APACHE_SEC_DIR}/bin/httpd/modules/+g" ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Specificare l'indirizzo IP utilizzato dal web server: sed -i 's/^Listen 80/Listen server_IP:80/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Abilitare i necessari moduli: for MODULE in allowmethods deflate http2 remoteip rewrite slotmem_shm socache_shmcb ssl substitute unique_id do     sed -i "s/^#LoadModule ${MODULE}_module /LoadModule ${MODULE}_module /g" ${APACHE_SEC_DIR}/httpd/conf/httpd.conf done

Modificare utente e gruppo che fara' girare il web server: sed -i 's/^User daemon/User wwsrun/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i 's/^Group daemon/Group wws/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Impostare l'indirizzo email del web master: sed -i 's/^ServerAdmin you@example.com/ServerAdmin indirizzo_email@example.com/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Impostare la direttiva Options a None: sed -i 's/^\s*Options Indexes FollowSymLinks/   Options None/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Commentare la sezione dir_module: sed -i '/^$/,/^<\/IfModule>$/s/^/#/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Estendere la direttiva Files: sed -i 's/^$//g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i 's+^$++g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Impostare la direttiva LogLevel a info: sed -i 's/^LogLevel warn/LogLevel info/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Estendere la direttiva LogFormat combined: sed -i 's/^\s*LogFormat "%h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\"" combined/   LogFormat "%v %h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\" | %{UNIQUE_ID}e | %D" combined/g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Abilitare la direttiva CustomLog combined: sed -i 's+^\s*CustomLog "logs/access_log" common+#CustomLog "logs/access_log" common+g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i 's+^\s*#CustomLog "logs/access_log" combined+CustomLog "logs/access_log" combined+g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Includere diversi file di configurazione extra: sed -i 's+^#Include conf/extra/httpd-mpm.conf+Include conf/extra/httpd-mpm.conf+g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i 's+^#Include conf/extra/httpd-info.conf+Include conf/extra/httpd-info.conf+g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf sed -i 's+^#Include conf/extra/httpd-default.conf+Include conf/extra/httpd-default.conf+g' ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Abilitare il supporto al protocollo HTTP/2: echo 'Protocols h2 h2c http/1.1' >> ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

Includere i file di configurazione aggiuntivi: echo ' Include conf/httpd-sec.conf Include conf/vhosts.d/*.conf ' >> ${APACHE_SEC_DIR}/httpd/conf/httpd.conf

File httpd-sec.conf
Creare il nuovo file ${APACHE_SEC_DIR}/httpd/conf/httpd-sec.conf:

echo ' ProxyRequests Off TraceEnable off  AllowMethods GET POST  LimitRequestBody    102400 LimitRequestFields     100 LimitRequestFieldSize 8190 LimitRequestLine      8190 LimitXMLRequestBody  51200  Listen server_IP:443 SSLPassPhraseDialog    builtin SSLSessionCache        shmcb:logs/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLProtocol            all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder    on   SSLCompression          off SSLSessionTickets      off SSLStaplingCache       shmcb:logs/ssl_stapling(128000)  ' >> ${APACHE_SEC_DIR}/httpd/conf/httpd-sec.conf
 * 1) When running a reverse proxy only,
 * 2) do not allow forward proxy requests
 * 1) Disable TRACE method
 * 1) Restrict HTTP methods
 * 1) Limits
 * 1) SSL

Impostazione dei permessi
chmod -R go-rx ${APACHE_SEC_DIR}/httpd/conf

Init.d Script
Creare il file di startup: cp -p ${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/bin/apachectl /etc/init.d/apachectl_sec

e modificare alcuni percorsi: sed -i "s+${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}/bin/httpd+${APACHE_SEC_DIR}/bin/httpd/bin/httpd -f ${APACHE_SEC_DIR}/httpd/conf/httpd.conf+g" /etc/init.d/apachectl_sec sed -i "s+${APACHE_SEC_DIR}/bin/${HTTPD_VERSION}+${APACHE_SEC_DIR}/bin/httpd+g" /etc/init.d/apachectl_sec

Creare i necessari link simbolici: chkconfig apachectl_sec on

Virtual Host
Creare un file separato per ogni Virtual Host e salvarlo nella directory ${APACHE_SEC_DIR}/httpd/conf/vhosts.d

 ServerName example.com ServerAlias www.example.com

# Document Root DocumentRoot "htdocs/example.com"

# Log ErrorLog logs/example.com-error_log CustomLog logs/example.com-access_log combined

# Force the use of HTTPS RewriteEngine on   RewriteCond   %{HTTPS} !=on RewriteRule  ^(.*) https://%{SERVER_NAME} [L,R]

# Security Headers Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri https://${subdomain}.report-uri.com/r/d/csp/enforce;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr *; usb 'none'; vr 'none';" Header always set X-Permitted-Cross-Domain-Policies "none" Header always set Set-Cookie "HttpOnly; SameSite=Strict" 

 ServerName example.com ServerAlias www.example.com

# Document Root DocumentRoot "htdocs/example.com"

# Log ErrorLog logs/example.com-error_log CustomLog logs/example.com-access_log combined

RewriteEngine on

# SSL SSLEngine on   SSLCertificateFile      /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile  /path/to/private_key SSLCACertificateFile   /path/to/all_ca_certs

# OCSP Stapling SSLUseStapling                  on    SSLStaplingResponderTimeout      5 SSLStaplingReturnResponderErrors off

# Security Headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri https://${subdomain}.report-uri.com/r/d/csp/enforce;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr *; usb 'none'; vr 'none';" Header always set X-Permitted-Cross-Domain-Policies "none" Header always set Expect-CT "max-age=0, report-uri=\"https://${subdomain}.report-uri.com/r/d/ct/reportOnly\"" env=HTTPS Header always set Set-Cookie "HttpOnly; Secure; SameSite=Strict" 

Download Dei Sorgenti
Scaricare l'ultima versione disponibile dei sorgenti di ModSecurity dal sito https://www.modsecurity.org/download.html.

Di seguito verra' usata la versione 2.9.1: https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz.sha256

Scaricare l'ultima versione disponibile di Core Rule Set (CRS) di OWASP dal sito https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Compilazione e Configurazione
Variabili aggiuntive: MODSEC_VERSION="modsecurity-2.9.1"

Verificare mediante il comando sha256sum che l'hash dei file .tar.gz coincide con quello riportato nei file .sha256: sha256sum ${MODSEC_VERSION}.tar.gz 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24 modsecurity-2.9.1.tar.gz

cat ${MODSEC_VERSION}.tar.gz.sha256 SHA256(modsecurity-2.9.1.tar.gz)= 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24

Decomprimere i sorgenti: mkdir -p ${APACHE_SEC_DIR}/httpd/conf/crs tar xfz SpiderLabs-owasp-modsecurity-crs-*.tar.gz --strip-components=1 -C ${APACHE_SEC_DIR}/httpd/conf/crs chown -R root:root ${APACHE_SEC_DIR}/httpd/conf/crs chmod -R go-rx ${APACHE_SEC_DIR}/httpd/conf/crs

tar xfz ${MODSEC_VERSION}.tar.gz cd ${MODSEC_VERSION}

Installare i pacchetti necessari alla compilazione: apt install build-essential pkg-config libssl-dev libxml2-dev libxml2 libexpat1-dev \ libpcre3-dev libpcre3 liblua5.1-0 liblua5.1-0-dev libcurl4-openssl-dev libcurl3

Utilizzare questi parametri per la configurazione: ./configure \ --prefix=${APACHE_SEC_DIR}/bin/${MODSEC_VERSION} \ --with-apxs=${APACHE_SEC_DIR}/bin/httpd/bin/apxs \ --with-apr=${APACHE_SEC_DIR}/bin/httpd/bin \ --with-apu=${APACHE_SEC_DIR}/bin/httpd/bin \ --enable-pcre-jit \ --enable-lua-cache

Compilare i sorgenti: make -j4

Verificare i binari: make CFLAGS=-DMSC_TEST test

Installare i binari: make install

Creare il link simbolico: ln -s ${MODSEC_VERSION} ${APACHE_SEC_DIR}/bin/modsecurity

Configurare ModSecurity: if [ ! -f "${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf" ]; then cp modsecurity.conf-recommended ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf cp unicode.mapping ${APACHE_SEC_DIR}/httpd/conf/ chown -R root:root ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf ${APACHE_SEC_DIR}/httpd/conf/unicode.mapping chmod -R go-rx ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf ${APACHE_SEC_DIR}/httpd/conf/unicode.mapping sed -i 's/^SecRuleEngine DetectionOnly$/SecRuleEngine On/g' ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf sed -i 's+^SecAuditLog /var/log/modsec_audit.log$+SecAuditLog logs/modsec_audit.log+g' ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf sed -i 's/^SecStatusEngine On$/SecStatusEngine Off/g' ${APACHE_SEC_DIR}/httpd/conf/modsecurity.conf fi

Configurare Core Rule Set (CRS): if [ ! -f "${APACHE_SEC_DIR}/httpd/conf/crs/modsecurity_crs_10_setup.conf" ]; then cp -p ${APACHE_SEC_DIR}/httpd/conf/crs/modsecurity_crs_10_setup.conf.example ${APACHE_SEC_DIR}/httpd/conf/crs/modsecurity_crs_10_setup.conf fi

for RULE in $(ls ${APACHE_SEC_DIR}/httpd/conf/crs/base_rules/) do    ln -sf ${APACHE_SEC_DIR}/httpd/conf/crs/base_rules/$RULE ${APACHE_SEC_DIR}/httpd/conf/crs/activated_rules/ done

Caricare il modulo di ModSecurity in Apache httpd: echo " LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so LoadFile /usr/lib/x86_64-linux-gnu/liblua5.1.so LoadModule security2_module ${APACHE_SEC_DIR}/bin/modsecurity/lib/mod_security2.so Include conf/modsecurity.conf   Include conf/crs/modsecurity_crs_10_setup.conf   Include conf/crs/activated_rules/*.conf  " >> ${APACHE_SEC_DIR}/httpd/conf/httpd-sec.conf
 * 1) ModSecurity
 * 1) Core Rule Set (CRS)

Link utili

 * Mozilla - SSL Configuration Generator
 * Qualys SSL Labs - SSL Server Test
 * Check HTTP(S) Security Headers
 * Check the Revocation Lists (CRL) and the OCSP status of an (SSL) Certificate
 * HTTP/2 Test