Issue
I'm slowly learning more about Apache HTTPD server, but I'm still mostly a newbie.
Recently, I've been working on tightening up security, by adding headers to a VirtualHost. But, if I have an httpd.conf with (say) 10 VirtualHost definitions, is it necessary to add the same header(s) to all 10 VirtualHost definitions?
Is it possible to have a section of httpd.conf (or a separate .conf file that will be included in all VirtualHost definitions, without having to individually add the header to each VirtualHost definition?
So, is it possible, instead of doing:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
Is it possible to define a section of httpd.conf (or an include file of httpd.conf), where I can put these headers and other directives once and have them apply to all VirtualHost definitions?
Something like: specific section of httpd.conf:
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
And then when I define a VirtualHost, I just do:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName www.myorg.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www.myorg.com
</VirtualHost>
This way, I can define (and, in the future, change) my security related directives in one place, and not have to make adjustments in 5 or 10 or 20 or more places?
Possible?
Solution
There are a couple options.
Option 1: configuration in the global context (outside any VirtualHost) applies to them all. See https://serverfault.com/questions/834349/does-apache2-have-a-way-of-setting-global-vhosts
Option 2: mod_macro. You can configure macros to simplify the multi-configuration. See https://httpd.apache.org/docs/2.4/en/mod/mod_macro.html
Option 3: dynamic mass VirtualHost configurations. Here you use wildcards. See https://httpd.apache.org/docs/2.4/en/vhosts/mass.html
Answered By - Nic3500