## Please edit system and help pages ONLY in the master wiki!
## For more information, please see MoinMoin:MoinDev/Translation.
## IMPORTANT NOTE:
## When you use this page as a template for creating your project page:
##  * please remove all lines starting with two hashes (##)
##  * except the acl line, please keep that, but remove one hash, so it reads #acl ...
##  * fix the acl line so it has the correct page instead of the sample Project/...Group
##acl Project/AdminGroup:admin,read,write,delete,revert Project/ReadWriteGroup:read,write Project/ReadGroup:read
##master-page:Unknown-Page
##master-date:Unknown-Date
#format wiki
#language en

= httpd security Tips (Centos6,7,8) =

1. /etc/httpd/conf/httpd.conf の DocumentRootの直前ぐらいに以下を追記する
{{{
ServerTokens Prod
ServerSignature Off
TraceEnable Off
# httproxy
RequestHeader unset Proxy
Header unset X-Powered-By
# Click Jack
Header append X-FRAME-OPTIONS "SAMEORIGIN"
# XSS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
#
}}}

2. /etc/httpd/conf.d/ssl.conf 中、SSLCipherSuite のところは

[[https://mozilla.github.io/server-side-tls/ssl-config-generator/ |  https://mozilla.github.io/server-side-tls/ssl-config-generator/]]

に httpd の version と openssl のversion を入力すると suggestionが出てくるのでそれをコピペする。例えば CentOS 8.0.1905 の場合は
{{{
httpd-2.4.37
openssl-1.1.1
}}}
なので上記を入れると
[[https://ssl-config.mozilla.org/#server=apache&server-version=2.4.37&config=intermediate&openssl-version=1.1.1 | https://ssl-config.mozilla.org/#server=apache&server-version=2.4.37&config=intermediate&openssl-version=1.1.1]]
となるので、以下を　/etc/httpd/conf.d/ssl.conf 中に入れる。

{{{
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

}}}

3. httpd周りのソフト環境
{{{
RHEL5(CentOS5)  httpd-2.2.3   php-5.1.6   perl-5.8   python-2.4.3      mysql-5.0.95   
RHEL6(CentOS6)  httpd-2.2.15  php-5.3.3   perl-5.10  python-2.6.6      mysql-5.1.73     
RHEL7(CentOS7)  httpd-2.4.6   php-5.4.16  perl-5.16  python-2.7.5      mariadb-5.5.64 
RHEL8(CentOS8)  httpd-2.4.37  php-7.2.11  Perl-5.26  python-3.6 (2.7)  mariadb-10.3.11   
}}}