install/apache2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_httpd-2.4.sh: some security tasks.

Browse Source
This commit is contained in:
Christoph 2020-11-02 23:22:11 +01:00
parent 37a5593edd
commit 94f98c5d24
1 changed files with 153 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
install_httpd-2.4.sh
View File

@ -32,8 +32,8 @@ else
_WITH_MOD_PHP=true
fi
#_SSL_Cipher_Suite='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
_SSL_Cipher_Suite='ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'
#_SSL_Cipher_Suite='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!SSLv2:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
_SSL_Cipher_Suite='ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!SSLv2:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
_PHP_VERSION=7.1.24
@ -2169,10 +2169,42 @@ fi
## --- SSL
## ---
echononl "\tCreate directory '$PREFIX/conf/ssl'.."
if [[ ! -d "$PREFIX/conf/ssl" ]]; then
echo "" >> ${_logdir}/main.log
echo "## - Create directory '$PREFIX/conf/ssl' .." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "mkdir \"$PREFIX/conf/ssl\"" >> ${_logdir}/main.log 2>&1
mkdir "$PREFIX/conf/ssl" >> ${_logdir}/main.log
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
warn "Creating directory '$PREFIX/conf/ssl' failed"
fi
else
echo_skipped
fi
echo "" >> ${_logdir}/main.log
echo "## - Generate a dhparam.pem file .." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "openssl dhparam -dsaparam -out $PREFIX/conf/ssl/dhparam.pem 4096" >> ${_logdir}/main.log
echononl "\tGenerate a dhparam.pem file.."
openssl dhparam -dsaparam -out $PREFIX/conf/ssl/dhparam.pem 4096 >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
warn " Generating dhparam.pem file '$PREFIX/conf/ssl/dhparam.pem' failed"
fi
## - include httpd-ssl.conf
## -
_file=httpd-ssl.conf
if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ]; then
echo "" >> ${_logdir}/main.log
echo "## - httpd.conf: include file \"$_file\".." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
@ -2188,6 +2220,17 @@ if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ]; then
echo_failed
fi
echo "" >> ${_logdir}/main.log
echo "## - Backup file '${PREFIX}/${_rel_confextra_path}/${_file}'.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\tBackup file '${PREFIX}/${_rel_confextra_path}/${_file}'.."
cp -a "${PREFIX}/${_rel_confextra_path}/${_file}" "${PREFIX}/${_rel_confextra_path}/${_file}.ORIG" >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
fi
#notice=""
## - copy certification files if present..
_failed=false
@ -2296,6 +2339,39 @@ EOF
fi
done
## - Set Diffie Hellman Ephemeral Parameters
## -
echononl "\t$_file: Set Diffie Hellman Ephemeral Parameters.."
if ! grep -q SSLOpenSSLConfCmd ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix 2> /dev/null ; then
if [[ ! -f "${PREFIX}/conf/ssl/dhparam.pem" ]] ; then
echo_skipped
warn "Diffie Hellman Parameter file (${PREFIX}/conf/ssl/dhparam.pem') NOT found!"
else
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set Diffie Hellman Ephemeral Parameters.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
cat <<EOF >> ${_logdir}/main.log
perl -i$_backup_suffix -n -p \\
-e "s&^(#\s*SSL\s+Cipher\s+Suite:.*)&# Diffie Hellman Ephemeral Parameters\n#\nSSLOpenSSLConfCmd DHParameters \"${PREFIX}/conf/ssl/dhparam.pem\"\n\n\1&" \\
${PREFIX}/${_rel_confextra_path}/${_file}
EOF
perl -i$_backup_suffix -n -p \
-e "s&^(#\s*SSL\s+Cipher\s+Suite:.*)&# Diffie Hellman Ephemeral Parameters\n#\nSSLOpenSSLConfCmd DHParameters \"${PREFIX}/conf/ssl/dhparam.pem\"\n\n\1&" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
if grep -q SSLOpenSSLConfCmd ${PREFIX}/${_rel_confextra_path}/${_file} 2> /dev/null ; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
else
echo_failed
fi
fi
else
echo_skipped
fi
## - Set SSLCipherSuite
## -
@ -2356,10 +2432,10 @@ EOF
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLProtocol.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProtocol ).*)$&## \1\n\2ALL -SSLv3 -SSLv2 -TLSv1&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProtocol ).*)$&## \1\n\2-all +TLSv1.2 +TLSv1.3&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set SSLProtocol.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*SSLProtocol ).*)$&## \1\n\2all -SSLv3 -SSLv2 -TLSv1&g" \
-e "s&^(([ ^t]*SSLProtocol ).*)$&## \1\n\2-all +TLSv1.2 +TLSv1.3&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
@ -2374,10 +2450,10 @@ EOF
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLProxyProtocol.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProxyProtocol ).*)$&## \1\n\2ALL -SSLv3 -SSLv2 -TLSv1&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProxyProtocol ).*)$&## \1\n\2-all +TLSv1.2 +TLSv1.3&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set SSLProxyProtocol.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*SSLProxyProtocol ).*)$&## \1\n\2all -SSLv3 -SSLv2 -TLSv1&g" \
-e "s&^(([ ^t]*SSLProxyProtocol ).*)$&## \1\n\2-all +TLSv1.2 +TLSv1.3&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
@ -2403,6 +2479,33 @@ EOF
echo_failed
fi
## - Set SSLCompression
## -
ssl_compression_comment="# SSLCompression
#
# Note:
# Enabling compression causes security issues in most setups (the so called CRIME attack)."
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLCompression.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
cat <<EOF >> ${_logdir}/main.log
perl -i$_backup_suffix -n -p \\
-e "s&^(\s*SSLHonorCipherOrder\s+.*)&\1\n\n${ssl_compression_comment}\nSSLCompression off&" \\
${PREFIX}/${_rel_confextra_path}/${_file}
EOF
echononl "\t$_file: Set SSLCompression.."
perl -i$_backup_suffix -n -p \
-e "s&^(\s*SSLHonorCipherOrder\s+.*)&\1\n\n${ssl_compression_comment}\nSSLCompression off&" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
## - Set ServerName
## -
echo "" >> ${_logdir}/main.log
@ -2548,6 +2651,17 @@ if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ];then
echo_failed
fi
echo "" >> ${_logdir}/main.log
echo "## - Backup file '${PREFIX}/${_rel_confextra_path}/${_file}'.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\tBackup file '${PREFIX}/${_rel_confextra_path}/${_file}'.."
cp -a "${PREFIX}/${_rel_confextra_path}/${_file}" "${PREFIX}/${_rel_confextra_path}/${_file}.ORIG" >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
fi
_localhost="127.0.0.0/8"
[ "X" != "X$HTTPD_INFO_ADDRESSES" ] && _localhost="$_localhost $HTTPD_INFO_ADDRESSES"
echo "" >> ${_logdir}/main.log
@ -2623,6 +2737,17 @@ if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ];then
echo_failed
fi
echo "" >> ${_logdir}/main.log
echo "## - Backup file '${PREFIX}/${_rel_confextra_path}/${_file}'.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\tBackup file '${PREFIX}/${_rel_confextra_path}/${_file}'.."
cp -a "${PREFIX}/${_rel_confextra_path}/${_file}" "${PREFIX}/${_rel_confextra_path}/${_file}.ORIG" >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
fi
## - Uncomment "LoadModule" for needed additional modules..
## -
for module in mod_mime mod_negotiation ; do
@ -2678,6 +2803,17 @@ if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ];then
echo_failed
fi
echo "" >> ${_logdir}/main.log
echo "## - Backup file '${PREFIX}/${_rel_confextra_path}/${_file}'.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\tBackup file '${PREFIX}/${_rel_confextra_path}/${_file}'.."
cp -a "${PREFIX}/${_rel_confextra_path}/${_file}" "${PREFIX}/${_rel_confextra_path}/${_file}.ORIG" >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
fi
## - Uncomment "LoadModule" for needed additional modules..
## -
@ -2740,6 +2876,17 @@ if [ -f ${PREFIX}/${_rel_confextra_path}/${_file} ];then
warn "Including file \"${_file}\" failed.."
fi
echo "" >> ${_logdir}/main.log
echo "## - Backup file '${PREFIX}/${_rel_confextra_path}/${_file}'.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\tBackup file '${PREFIX}/${_rel_confextra_path}/${_file}'.."
cp -a "${PREFIX}/${_rel_confextra_path}/${_file}" "${PREFIX}/${_rel_confextra_path}/${_file}.ORIG" >> ${_logdir}/main.log 2>&1
if [ "0" = "$?" ];then
echo_ok
else
echo_failed
fi
## - Set MaxConnectionsPerChild
## -