I've recently migrated an existing Apache2 webserver config from a "traditional" Debian-based linux machine to an AWS EKS environment using the hub.docker Httpd Docker official image instead.
The primary behaviour of this server is to act as a reverse proxy for several backend HTTP and HTTPS sites, with AWS handling the public-facing HTTPS (inc SSL cert) for the frontend in CloudFront. The internal AWS traffic inbound to the server uses HTTP. The previous config, on Debian, directly handled HTTPS for both inbound and backend traffic in Apache.
I've tried to remove the redundant modules and config from the server, but I'm not sure what parts of the SSL config should be kept. The SSL module is required for the HTTPS backend, but the default .conf file provided in the Docker image includes config for both frontend and backend usage.
My primary concern is whether I should retain the "SSLSessionCache" directive - is this only a benefit from incoming HTTPS, or is it used by the backend HTTPS as well? The Apache documentation describes this as:
This configures the storage type of the global/inter-process SSL Session Cache. This cache is an optional facility which speeds up parallel request processing. For requests to the same server process (via HTTP keep-alive), OpenSSL already caches the SSL session information locally. But because modern clients request inlined images and other data via parallel requests (usually up to four parallel requests are common) those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes.
shmcb:/path/to/datafile[(size)]
This makes use of a high-performance cyclic buffer (approx. size bytes in size) inside a shared memory segment in RAM (established via /path/to/datafile) to synchronize the local OpenSSL memory caches of the server processes. This is the recommended session cache. To use this, ensure that mod_socache_shmcb is loaded.
Similar question for "SSLRandomSeed" and "SSLCryptoDevice" - do I need to include these for https backends?
The two similar config files, for the "ssl" hub.docker default, and the actual deployed server, are below:
Default "httpd-ssl.conf" in Docker image config
Listen 443 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost _default_:443> DocumentRoot "/usr/local/apache2/htdocs" ServerName www.example.com:443 ServerAdmin [email protected] ErrorLog /proc/self/fd/2 TransferLog /proc/self/fd/1 SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache2/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /proc/self/fd/1 \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> Deployed server's "site.conf" included by the main "httpd.conf" file
ServerName example.com:80 ## SSLSessionCache shmcb:/run/httpd/sslcache(512000) - Debian config original SSLSessionCache shmcb:/usr/local/apache2/logs/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin SSLHonorCipherOrder on SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyEngine on SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ## Error pages Alias /error/ "/usr/local/apache2/error/" <Directory "/usr/local/apache2/error"> AllowOverride None Options IncludesNoExec Require all granted </Directory> ErrorDocument 401 /error/401_unauthorised.html ErrorDocument 404 /error/404_notfound.html ErrorDocument 403 /error/403_forbidden.html ErrorDocument 410 /error/410_gone.html ErrorDocument 502 /error/502_proxy_bad-gateway.html ErrorDocument 503 /error/503_proxy_service-unavailable.html ErrorDocument 504 /error/504_proxy_gateway-timeout.html ProxyErrorOverride On ## Proxy sections # exclude local system files from Proxy rules ProxyPass "/robots.txt" ! ProxyPass "/sitemap.txt" ! ProxyPass "/favicon.ico" ! ProxyPassMatch "^/error/.*$" ! ## blog CMS ProxyPass "/blog" https://blog.backend/blog ProxyPassReverse "/blog" https://blog.backend/blog <Proxy "balancer://business"> BalancerMember http://business.backend hcmethod=HEAD11 hcinterval=5 hcuri=/ BalancerMember https://static.backend status=+H </Proxy> ProxyPass "/" "balancer://business/" ProxyPassReverse "/" "balancer://business/" I've edited both configs for length and to remove irrelevant code/identifying details (some rewrite/redirect behaviour, ip restrictions, etc).
The current config does work as deployed, but a recent error related to the https backend has triggered a review of these specific details; It's possible the SSL cache was at fault.
Thanks for your time and input
