@salnz many thanks for this.
I have added apache and nginx .Would be great to have a guide to make server very secure or have these security by in config by default.
Apache
Under conf-enabled folder in apache2 file security.conf the first 2 are near the top
ServerTokens Prod
ServerSignature Off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
Requires Apache >= 2.4.11
SSLSessionTickets Off
Setting this header will prevent MSIE from interpreting files as something
else than declared by the content type in the HTTP headers.
Requires mod_headers to be enabled.
Access-Control-Allow-Origin could be a bad idea any third site now every site could create a Ajax request to your website and include any thing with it…
Unless you need it (for an app, website, client) I suggest disable it…
as @eris pointed out you don’t need that setting, I think that setting I had to test cdn provider but later removed as was better without it and more secure.
You need to change the configs above to match your use / server or vps requirements. The above is running on Ubuntu 18.0.4. I also have latest apache2 installed not standard Hestia installed one.
Just remove these from apache2.conf if you added it
Header set Access-Control-Allow-Origin “*”
SSLProtocol TLSv1.2
I will probably open a separate issue on Github to track this one, but just wanted to quickly make a note that HestiaCP’s passwd file for mail accounts (used by Dovecot for IMAP/POP auth and Exim4) uses MD5-CRYPT:
PS: The MD5 vs SHA256 issue would only be of concern in case the HestiaCP server gets hacked, because the salted MD5 can be cracked with tools like “john”.
thank you for this useful information. Since i have been trying several configs and possible finding out few things and questions are coming up
what is the difference between
/etc/apache2/conf.d/ip.conf
and
/etc/apache2/apache.conf
I’ve been trying to change this file
/etc/apache2/conf.d/ip.conf
and created a backup for ip.conf_backup_original
however on first trial the ip.conf did not work and therefore I sudo cp ip.conf_backup_original ip.conf back to normal.
Afterwards noticed apache service was not starting until i did sudo service apache2 status and noticed the server was trying to start with the backup file.
Why did not pick the correct file name ip.conf ? what triggers this sudden change to ip.conf_backup? The solution was to remove the backup file.
Is the settings for that specific ip in case you have multiple ip adress you can run different “settings” on each ip if you want / demand. Due to the changes of SSL certificates it is not anymore required to require a IP address for each certificate (read few years ago)
Also to allow flexibility for the user and why not?
In Apache2.conf you see
Include conf.d/
IncludeOptional conf.d/domains/*.conf
This will mean all files are inlcuded in the “apache2” even ip.with_non_standaard extensions or even Radom.string.that.could.be.causing .errors.nothing
good clarification. I have to be cautious with backup files. any advise on this ? how would you do with backup files if experimenting different configs?