Using Apache Haus in production environments

Started by carlosdb, April 26, 2021, 12:20:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

carlosdb

April 26, 2021, 12:20:53 PM
Hello community!!

This is my very first post on this forum, I came across to this site to figure out what's the best option for a personal project I'm running. My question is if I can use Apache Haus for an application that is running in production and if it comes with enough security configuration applied in order to run my site safely.

I have explored the possibility to use IIS but I read performance issues, so it would be nice to know a bit more about your preference of using Apache Haus rather than IIS.

I'm new on this world so any help will be much appreciated.  :D

Many thanks!

mario

#1
April 27, 2021, 09:55:37 AM
Yes you can use it in production. A lot of people do that, including me.

I only tweak the SSL config and some security headers.

Code Select

Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256


Code Select

<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' data:; font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>
Print
Go Up Pages1
User actions