0

I've recently migrated an existing Apache2 webserver config from a "traditional" Debian-based linux machine to an AWS EKS environment using the hub.docker Httpd Docker official image instead.

The primary behaviour of this server is to act as a reverse proxy for several backend HTTP and HTTPS sites, with AWS handling the public-facing HTTPS (inc SSL cert) for the frontend in CloudFront. The internal AWS traffic inbound to the server uses HTTP. The previous config, on Debian, directly handled HTTPS for both inbound and backend traffic in Apache.

I've tried to remove the redundant modules and config from the server, but I'm not sure what parts of the SSL config should be kept. The SSL module is required for the HTTPS backend, but the default .conf file provided in the Docker image includes config for both frontend and backend usage.

My primary concern is whether I should retain the "SSLSessionCache" directive - is this only a benefit from incoming HTTPS, or is it used by the backend HTTPS as well? The Apache documentation describes this as:

This configures the storage type of the global/inter-process SSL Session Cache. This cache is an optional facility which speeds up parallel request processing. For requests to the same server process (via HTTP keep-alive), OpenSSL already caches the SSL session information locally. But because modern clients request inlined images and other data via parallel requests (usually up to four parallel requests are common) those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes.

shmcb:/path/to/datafile[(size)]

This makes use of a high-performance cyclic buffer (approx. size bytes in size) inside a shared memory segment in RAM (established via /path/to/datafile) to synchronize the local OpenSSL memory caches of the server processes. This is the recommended session cache. To use this, ensure that mod_socache_shmcb is loaded.

Similar question for "SSLRandomSeed" and "SSLCryptoDevice"?

The two similar config files, for the "ssl" hub.docker default, and the actual deployed server, are below:

Default "httpd-ssl.conf" in Docker image config

Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLHonorCipherOrder on 

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>

    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName www.example.com:443
    ServerAdmin [email protected]
    ErrorLog /proc/self/fd/2
    TransferLog /proc/self/fd/1

    SSLEngine on

    SSLCertificateFile "/usr/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/apache2/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

    CustomLog /proc/self/fd/1 \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Deployed server's "site.conf" included by the main "httpd.conf" file

ServerName example.com:80

## SSLSessionCache         shmcb:/run/httpd/sslcache(512000) - Debian config original
SSLSessionCache         shmcb:/usr/local/apache2/logs/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

SSLHonorCipherOrder on
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLProxyEngine on

SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

## Error pages    
Alias /error/ "/usr/local/apache2/error/"
<Directory "/usr/local/apache2/error">
    AllowOverride None
    Options IncludesNoExec
    Require all granted
</Directory>

ErrorDocument 401 /error/401_unauthorised.html
ErrorDocument 404 /error/404_notfound.html
ErrorDocument 403 /error/403_forbidden.html
ErrorDocument 410 /error/410_gone.html
ErrorDocument 502 /error/502_proxy_bad-gateway.html
ErrorDocument 503 /error/503_proxy_service-unavailable.html
ErrorDocument 504 /error/504_proxy_gateway-timeout.html

ProxyErrorOverride On

## Proxy sections
# exclude local system files from Proxy rules
ProxyPass "/robots.txt"         !
ProxyPass "/sitemap.txt"        !
ProxyPass "/favicon.ico"        !
ProxyPassMatch "^/error/.*$"    !

## blog CMS
ProxyPass        "/blog" https://blog.backend/blog
ProxyPassReverse "/blog" https://blog.backend/blog

<Proxy "balancer://business">
    BalancerMember http://business.backend  hcmethod=HEAD11 hcinterval=5 hcuri=/
    BalancerMember https://static.backend   status=+H
</Proxy>
ProxyPass        "/" "balancer://business/"
ProxyPassReverse "/" "balancer://business/"

I've edited both configs for length and to remove irrelevant code/identifying details (some rewrite/redirect behaviour, ip restrictions, etc).

The current config does work as deployed, but a recent error related to the https backend has triggered a review of these specific details; It's possible the SSL cache was at fault.

Thanks for your time and input

Improve this question
1
  • 1
    You're more likely to receive an answer to this on Server Fault. Commented Oct 4 at 9:59

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.