SSL:
/etc/apache2/mods-enabled/ssl.conf
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH
Squid
When SSL terminates at a Squid reverse proxy, instead make changes to the squid.conf likeso:
https_port 443 vhost cert=whatever.ssl key=whatever.key cafile=whatever.cer defaultsite=<a href="http://www.examplecom">www.examplecom</a> cipher=DEFAULT:!EXPORT:!LOW options=NO_SSLv2
Other Squid changes:
# PCI Verizon scan results
reply_header_access X-Cache-Lookup deny all
reply_header_access X-Cache deny all
reply_header_access All allow all
via off
httpd_suppress_version_string on
PHP:
/etc/php5/apache2/php.ini
This gets rid of those horrible mountains of 'safe_mode' vulnerabilities reported to exist in versions of PHP 5.2.8 or lower, because it hides the version number. Hiding information like this that is sent back in HTTP headers is a good idea and also something else that the scan complains about.
Kind of a dodgy fix, obviously in a better world we'd be upgrading to newer version of PHP but maybe that isn't an option for whatever reason.
Don't leave any pages that call phpinfo() without checking the requestor's IP too:
if( $_SERVER['REMOTE_ADDR'] == '1.2.3.4' )
{
phpinfo();
}
Apache:
/etc/apache2/apache2.conf
ServerTokens Prod
(hides apache/php/ssl versions in the footer of pages, i.e when you hit a 404, probably headers too)
In any vhost, including the 000-default, prevent TRACE with mod_rewrite
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
The TRACE method is an HTTP command used for debugging purposes. A client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers. It is possible for a malicious user to obtain sensitive information from the headers, such as cookies or authentication data.
