Apache Security Configuration

Security

N2FE runs as a HTTP web application through Apache 2, and Apache can be configured to provide a strong security layer for N2FE.

We recommend applying the following configuration changes to any default Apache 2 installation. These changes are selected to enhance the security layer Apache provides for N2FE.

Apache 2

Version Selection

It is strongly recommended that the latest available version of Apache is used for any web server installation. The minimum version installed should always be at latest version available for your OS installation.
It is also strongly recommended that your OS version is actively supported with security updates.

SSL

It is critical that if N2FE is accessed through a publicly accessible web address, it is accessed over HTTPS only. However even for internal access HTTPS should be considered.

If N2FE is available over the publicly accessible internet, Test the TLS/SSL configuration using https://www.ssllabs.com/ssltest/.

Disable insecure TLS/SSL protocols In the apache configuration, set SSLProtocol and SSLCipherSuite to a more restricted set of options:

SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5

It is best to disable SSLv2, SSLv3, and TLS 1.0 and have only TLS 1.2 enabled as in the above SSLProtocol configuration. Also, it is best to disable support for RC4 ciphers, as in the above SSLCipherSuite configuration.

Under RedHat Linux, these options are set by default in /etc/httpd/conf.d/ssl.conf.

HTTP Methods

Disable the HTTP TRACE method so that the Apache attack surface is lessened. In the Apache configuration, turn TraceEnable off:

TraceEnable off

Further, disable all HTTP methods not used by N2FE by enabling only POST, GET, PUT and DELETE:

<Location />
    <LimitExcept POST GET PUT DELETE>
            order deny,allow
            deny from all
    </LimitExcept>
</Location>

ETag Generation

Disable inode-based ETag generation in Apache by setting FileETag to use more general information:

FileETag MTime Size

Under RedHat Linux, this option is not set by default, but should be explicitly set, e.g. in /etc/httpd/conf/httpd.conf. Note that versions after v2.3.14 default to the above configuration, however earlier versions (including the version of Apache on RedHat 6.9) use INode which is a security vunerability.

Suppress Server Information

Remove server information from responses by disabling server signatures and ensuring that Apache provides the minimum of information to clients about itself:

ServerSignature Off
ServerTokens Prod

Under RedHat Linux, these options are not set by default, but should be explicitly set, e.g. in /etc/httpd/conf/httpd.conf.

Set Headers

Force MSIE to not sniff content type by setting the X-Content-Type-Options special header for MSIE in Apache. Also ask web browser to now allow N2FE to be embedded in an iframe by setting X-Frame-Options:

To enforce HTTPS access by web browser clients, us Strict-Transport-Security.

<Location />
        Header set X-Content-Type-Options: "nosniff"
        Header set X-Frame-Options: "sameorigin"
        Header set Strict-Transport-Security: max-age=15768000;
</Location>

Setting these options for all URLs is important as N2FE relies on the base URL for Jarvis - /jarvis-agent and which should also receive these restrictions.

WebDAV

Disable WebDAV by disabling the DAV modules in Apache:

# LoadModule dav_module modules/mod_dav.so
# LoadModule dav_fs_module modules/mod_dav_fs.so

Under RedHat Linux, these modules are loaded by default and should be disabled in /etc/httpd/conf/httpd.conf.

Set Server Name

Enforce access to N2FE over the correct hostname. This will help avoid DNS rebind attacks. To enforce access over the correct hostnames, reconfigure Apache, Jarvis and N2FE access to apply only within the appropriate virtual host configuration, and set ServerName and ServerAlias to the appropriate host names.