Qapache 2.4.27.7110 is on the way...
source patched already for the latest CVE and built...
waiting for php release
source patched already for the latest CVE and built...
waiting for php release
2.4.27.7110 - 27 sept 2017
-------------------------
Fix Apache CVE-2017-9798
Fix Apache PR61382 issue
update php core to 7.1.10
User apache
Group everyone
ServerSignature Off
ServerTokens Prod
<Directory "/share/htdocs">
AllowOverride none
Require all denied
</Directory>
<Directory "/share/htdocs/Apache">
AllowOverride none
Require all denied
</Directory>
<Directory "/share/htdocs/cgi-bin">
AllowOverride none
Require all denied
</Directory>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProxyCipherSuite HIGH:!aNULL:!MD5
<VirtualHost _default_:448>
[...]
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
par contre ... :? Faut que je trouve une solution, un apache qui tourne en root j'aime pas trop, quelqu'un l'a déjà réglé ça ?
QoolBox a dit:par contre ... :? Faut que je trouve une solution, un apache qui tourne en root j'aime pas trop, quelqu'un l'a déjà réglé ça ?
change le user dans httpd.conf, ca devrait fonctionner, mais a mon avis il va falloir faire un chown derrière de htdocs
Mikiya a dit:Bon pour mon soucis au changement de user ... je saurais pas pourquoi, j'ai tout reinstallé nextcloud de zero en apache avec user restreint et la ça passe (seuls les mails foirent), donc ça fera l'affaire ! J''update mon récap de modifs juste avant pour les modifs https://www.forum-nas.fr/viewtopic.php?f=21&t=1677&p=54241#p54241
/opt/qapache/etc
/opt/apache/etc/ssl
Toxic a dit:i'll give you an example if thats ok...
so in /share/CACHEDEV1_DATA/.qpkg/Qapache/etc you have the main apache configuration file:
httpd.conf
most settings are based on there. Stephanes setup is based on http on port 88 and https on 448 setup your firewall to accept port 80 and forward it to NAS IP:88, and if your using https, open ports 443 and forward to NAS IP:448
I have two domains on my nas setup so we need to setup Virtual Hosts. this file along with the rest of the configuration files are in
httpd.conf and we need to add httpd-vhosts.conf file to the config. in httpd.conf there is a line
# Virtual hosts
# Include etc/extra/httpd-vhosts.conf
just uncomment the Include line like so:
# Virtual hosts
Include etc/extra/httpd-vhosts.conf
Each Virtual host can have its own settings based on what you want. httpd.conf is the default setting, but these can be overwritten by entries in httpd-vhosts.conf
Code:# Virtual Hosts # # Required modules: mod_log_config # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # <VirtualHost *:88> ServerAdmin site1@email.com DocumentRoot "/share/CACHEDEV1_DATA/htdocs/wordpress" ServerName site1.org.uk ServerAlias www.site1.org.uk ErrorLog "/opt/Qapache/var/logs/site1-error_log" CustomLog "/opt/Qapache/var/logs/site1-access_log" combined env=!dontlog </VirtualHost> <VirtualHost *:88> ServerAdmin site2@email.com DocumentRoot "/share/CACHEDEV1_DATA/htdocs/weather" ServerName site2.org ServerAlias www.site2.org ErrorLog "var/logs/site2-error_log" CustomLog "var/logs/site2-access_log" combined env=!dontlog </VirtualHost> <VirtualHost *:88> ServerAdmin site3@email.com DocumentRoot "/share/CACHEDEV1_DATA/htdocs/zenphoto" ServerName zenphoto.site1.org.uk ServerAlias zenphoto.site1.org.uk ErrorLog "/opt/Qapache/var/logs/zenphoto-error_log" CustomLog "/opt/Qapache/var/logs/zenphoto-access_log" combined env=!dontlog </VirtualHost> # # SSL Confirguration and stuff # Listen 448 <VirtualHost *:448> ServerAdmin site1@gmail.com DocumentRoot "/share/CACHEDEV1_DATA/htdocs/wordpress" ServerName site1.org.uk ServerAlias www.site1.org.uk SSLEngine on SSLCertificateFile /etc/ssl/certs/site1/certificate.crt SSLCertificateKeyFile /etc/ssl/private/privatedm.key SSLCertificateChainFile /etc/ssl/certs/site1/ca_bundle.crt SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on ErrorLog "/opt/Qapache/var/logs/site1-error_443_log" CustomLog "/opt/Qapache/var/logs/site1-access_443_log" combined env=!dontlog </VirtualHost> <VirtualHost *:448> ServerAdmin site2@email.com DocumentRoot "/share/CACHEDEV1_DATA/htdocs/site2" ServerName site2.org ServerAlias www.site2.org SSLEngine on SSLCertificateFile /etc/ssl/certs/site2/certificate.crt SSLCertificateKeyFile /etc/ssl/private/privatesite2.key SSLCertificateChainFile /etc/ssl/certs/site2/ca_bundle.crt SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on ErrorLog "var/logs/site2-error_443_log" CustomLog "var/logs/site2-access_443_log" combined env=!dontlog </VirtualHost>
My SSLCipherSuite is a taken from a recommended Cipher to disable anything other than TLS 1.2 (recommended)
SSL v1, v2,v3 and TLS 1.0 are vulnerable. TLS 1.1 has not yet proven insecure (I dont think)
once you are up and running check your website:
https://www.ssllabs.com/ssltest/
Also for speed and optimisation use:
https://gtmetrix.com/
Hope that's ok. I tried the lets encrypt import on QTS 4.3.2 but it just never works. so I went to https://www.sslforfree.com/ and used their manual certs, which uses Lets Encrypt and allows you to download the certs etc. this is a manual process which you have to renew the Cert every 90 days. they will email you a week before it is due to run out, but i am sure you can set a calendar event to remind you too.
give me a shout it you need anything else explained, but the info above should help loads.