Advanced Apache hints

Owned by Christoph Lechleitner
Last updated: 2015-07-04
1 min read

SuPhp claiming about directory ownership of /var/www, /srv/www

To allow recent SuPhp versions keep on working, the directories above the DocumentRoot (i.e. /var, /var/www, /var/www/htdocs) must belong to either to the SuExec user of the VirtualHost or to root. If they belong to i.e. the Apache user (www-data on Debians), SuPhp claims about bad directory ownership.

VirtualHost matching

To check if Apache understands the VirtualHosts as expected:

apache2ctl -t -D DUMP_VHOSTS

Using long non-standard DH groups

This needs Apache 2.4.8 and OpenSSL 1.0.2.

To help fix CVE-2015-4000 or at least reduce the risk:

openssl dhparam -out dhparams.pem 2048
 
# either ...
$EDITOR /etc/apache2/mods-available/ssl.conf
# Long non-trivial DH group against CVE-2015-4000"
SSLOpenSSLConfCmd DHParameters dhparams.pem
 
# ... or ...
cat dhparams.pem >>www.foobar.com.crt
 
apache2ctl configtest && apache2ctl graceful

To test this, from a client machin with OpenSSL 1.0.2 higher (from openssl.org blog logjam-freak-upcoming-changes):

# OpenSSL 1.0.2+
openssl s_client -connect www.clazzes.org:443 -cipher "EDH" | grep "Server Temp Key"