linux, security, webserver,

Apache2 optimizations

agowa338 agowa338 Dec 22, 2015 · 3 mins read
Share this

To gain a faster page loading, you can enable the client side caching. That means that the browser of the connecting clients is storing the contents of your page until it expires.
Therefore you have to add the following under your virtual host entry (right before </VirtualHost>)

    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault "access plus 10 seconds"
        ExpiresByType text/html "access plus 60 seconds"
        ExpiresByType image/gif "access plus 120 minutes"
        ExpiresByType image/jpeg "access plus 120 minutes"
        ExpiresByType image/png "access plus 120 minutes"
        ExpiresByType text/css "access plus 60 minutes"
        ExpiresByType text/javascript "access plus 60 minutes"
        ExpiresByType application/javascript "access plus 60 minutes"
        ExpiresByType application/x-javascript "access plus 60 minutes"
        ExpiresByType text/xml "access plus 60 minutes"

After that run the following as root:

cd /etc/apache2/mods-enabled
ln -s ../mods-available/expires.load expires.load
ln -s ../mods-available/headers.load headers.load
service apache2 restart

Also if you want to redirect all http traffic to https you should use HTTP Response code 301 instead of 302. This is something that is nearly everywhere you look for http to https redirects missing ("R=301").
To accomplish this you simply have to replace "<VirtualHost *>" at the beginning of your website configuration file (replace server names ;-) ) with:

    # Redirect http://(www.)* to*
    RewriteEngine On
    RewriteCond %{HTTP_HOST}   ^(?:.*)example\.org$ [NC]
    RewriteCond %{SERVER_PORT}   !^443$
    RewriteRule  (.*)$1   [R=301,L]

Also you should use the ServerName attribute and avoid using "" for convenience and later usage.

Configuring https is as simple. First you have to get your certificate use startssl or lets encrypt.
After you have managed to get your certificate for (; don't miss typing the www subdomain ;-) ) place the files in the following directory:

  • The Private key: /etc/ssl/private/
  • The Certificate File: /etc/ssl/certs/
The Intermediate Certificates File (e.g. lets encrypt or
  • /etc/ssl/certs/letsencryptauthorityx1.pem
  • /etc/ssl/certs/

After the files are there you have to add some text to your VirtualHost configuration section

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/
    SSLCertificateKeyFile /etc/ssl/private/
    SSLCertificateChainFile /etc/ssl/certs/
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    # Replace Certificate Hashes below
    Header always add Public-Key-Pins "pin-sha256=\"Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=\"; pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; max-age=2592000; includeSubdomains"
    Header always add Strict-Transport-Security "max-age=15768000"
    Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self' data:"
    Header always add X-Content-Type-Options "nosniff"
    Header always add X-Frame-Options "sameorigin"
    Header always add X-XSS-Protection "1;mode=block"

As soon as WordPress stops using inline scripts, inline styles, fonts as "data:" urls and also images as "data:" urls, the line:

Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self' data:"
can be changed to the more secure
Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self'"

Written by agowa338