How to permanently store new ssl config

BottyZ

August 03, 2015 07:19

Hi all, I'm quite unexperienced with apache and whm but I have my first VPS to learn on and I'm trying to add some ssl changes in the http.conf file in order to improve its security (using Qualys SSL Server Test as my testing method). My employer wants to run their website from this VPS and it'll be the only site on here. They have an ecommerce store where they're trying to achieve a basic level of PCI DSS compliance. I've looked around and read up on a number of sites about this and I've seen a number of sources state that adding the following to the http.conf is recommended:

SSLHonorCipherOrder on          # Ciphers specified by the server take precedence
SSLInsecureRenegotiation off    # Mitigates CVE-2009-3555
SSLCompression off              # Mitigates CRIME and BEAST attacks (Apache 2.4 only)

I've tried directly editing the http.conf and following the instructions within the file to see if the edits are preserved on rebuild (/usr/local/cpanel/bin/apache_conf_distiller --update followed by /usr/local/cpanel/bin/build_apache_conf) and unfortunately the edits aren't preserved. Can I add the above code into the pre or post include files? If so, which would be best? Or is there a better way of incorporating these edits? I've seen in the http.conf that you should add the custom directives to respective template files, but which files would the above need to be added to specifically? Any help that can be given would be much appreciated. Thank you. A little further info on the VPS I'm using if you need it: Cent OS 6.6 (64 Bit) XenPV 3CPU 3GB RAM (& 3GB Burst) Apache 2.4.12 EasyApache 3.30.4 CPanel 11.50.0 (Build 29)

Comments

5 comments

ModServ

August 05, 2015 08:53
Hello, You can add the custom configuration in the template provided in this path:
/var/cpanel/templates/apache2
I guess it will be in ssl_vhost.local (I'm not really sure). Regards,
0
BottyZ

August 05, 2015 10:12
Hello, You can add the custom configuration in the template provided in this path:
/var/cpanel/templates/apache2
I guess it will be in ssl_vhost.local (I'm not really sure). Regards,

Hi ModServ, Thanks for the reply, I've checked that directory and its empty. However I'm using apache 2.4.12 and there is a different folder called apache2_4 with a ssl_vhost.default in it, but it contains a lot of if statements and not a lot of anything that I consider replaceable. I can see some of the ssl directives in the main.default file in there though, so I would imagine this to be the file I need to amend? I take it I would add my custom code to this file and then restart apache? Then it would appear in the usual http.conf? I'm reluctant to edit the file before making sure its correct as I don't want to have to rekey my ssl certificate again, which happened twice yesterday whilst working on this (basically told me the certificate was revoked in the browser when apache was restarted). I did add the directives to the pre_main includes file, but I'm not sure if this actually worked as BEAST is still not mitigated server side.
0
cPanelMichael

August 12, 2015 15:43
Hello :) You should be able to add these values to the "Pre Main Include" field in "WHM Home " Service Configuration " Apache Configuration " Include Editor". Does this not correctly configure the values? Thank you.
0
BottyZ

August 14, 2015 09:26
Hello :) You should be able to add these values to the "Pre Main Include" field in "WHM Home " Service Configuration " Apache Configuration " Include Editor". Does this not correctly configure the values? Thank you.

Hi Michael, Unfortunately it didn't seem to work with the includes file.
0
cPanelMichael

August 14, 2015 19:05
Unfortunately it didn't seem to work with the includes file.

Could you elaborate on this? For instance, do the PCI tests still fail or are you simply checking the Apache configuration file and excepting to see the entries? Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?