A Practical Guide to Securing Apache with TLS/SSL on RHEL 9 & CentOS 9
In today’s digital landscape, securing web traffic is no longer optional—it’s an absolute necessity. Encrypting data in transit with TLS (Transport Layer Security) protects user privacy, builds trust, and is a critical factor for search engine rankings. For administrators running Apache on Red Hat Enterprise Linux (RHEL) 9 or CentOS Stream 9, implementing a strong TLS configuration is a fundamental step in hardening your web server.
This guide provides a clear, step-by-step process for configuring secure TLS protocols and ciphers in Apache, moving beyond the default settings to establish a robust and modern security posture.
Prerequisites
Before you begin, ensure you have the following in place:
- A server running RHEL 9 or CentOS Stream 9.
- Root or sudo privileges.
- The Apache webserver (
httpd) installed and running. - A valid SSL/TLS certificate for your domain. You can obtain one from a commercial Certificate Authority (CA) or use a free one from Let’s Encrypt.
Step 1: Install mod_ssl
The mod_ssl module is essential for enabling TLS/SSL support in Apache. If it’s not already installed, you can add it with a single command.
sudo dnf install mod_ssl
This command installs the module and creates a default SSL configuration file, which we will modify to improve security.
Step 2: Locate and Prepare the SSL Configuration File
The primary configuration file for TLS/SSL settings in Apache on RHEL-based systems is located at /etc/httpd/conf.d/ssl.conf. This is the file you will be editing.
Before making any changes, it’s always a wise practice to create a backup.
sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
Now, open the file in your preferred text editor, such as vi or nano:
sudo nano /etc/httpd/conf.d/ssl.conf
Step 3: Configure Your SSL Certificate
Inside the ssl.conf file, you need to point Apache to your certificate and private key files. Find the following directives and update their paths to match the location of your certificate files.
SSLCertificateFile: This is your main domain certificate.SSLCertificateKeyFile: This is the private key associated with your certificate.SSLCertificateChainFile(orSSLCACertificateFile): This points to the intermediate certificates from your CA, which are necessary for browsers to trust your certificate fully.
Your configuration should look similar to this:
SSLCertificateFile /path/to/your/domain_name.crt
SSLCertificateKeyFile /path/to/your/private.key
SSLCertificateChainFile /path/to/your/intermediate.crt
Security Tip: Ensure your private key file (private.key) has restrictive permissions. Only the root user should be able to read it. You can set this with chmod 600 /path/to/your/private.key.
Step 4: Harden TLS Protocols and Cipher Suites
This is the most critical step for enhancing security. The default Apache configuration may allow older, vulnerable protocols and ciphers. We will explicitly disable them.
1. Set Secure Protocols
Locate the SSLProtocol directive. The default setting is often too permissive. You should disable all older protocols like SSLv3, TLSv1.0, and TLSv1.1, which have known vulnerabilities.
Modify the line to allow only TLSv1.2 and TLSv1.3:
# Before
# SSLProtocol all -SSLv3
# After (Recommended)
SSLProtocol -all +TLSv1.2 +TLSv1.3
This configuration explicitly disables everything first (-all) and then enables only the two most secure and modern protocols.
2. Configure Strong Cipher Suites
Next, find the SSLCipherSuite directive. This defines the encryption algorithms the server will offer to clients. A poorly configured cipher suite can leave you vulnerable to attacks.
For a modern, secure setup that prioritizes Perfect Forward Secrecy (PFS), replace the existing SSLCipherSuite line with a recommended set of strong ciphers.
Here is a robust configuration for TLSv1.2:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Note: TLSv1.3 has its own separate, non-configurable set of highly secure cipher suites, so the SSLCipherSuite directive primarily affects TLSv1.2 connections.
You should also enable SSLHonorCipherOrder to ensure the server’s preferred cipher list is used, not the client’s.
SSLHonorCipherOrder on
Step 5: Implement Additional Security Headers
To further harden your server, you can add security headers using Apache’s mod_headers module. These headers instruct browsers to enforce stricter security policies.
Add the following lines inside your <VirtualHost _default_:443> block in ssl.conf.
- HTTP Strict Transport Security (HSTS): This header tells browsers to only connect to your site using HTTPS for a specified period. This prevents protocol downgrade attacks.
apache
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- Content Security Policy (CSP), X-Content-Type-Options, and X-Frame-Options: These headers help prevent cross-site scripting (XSS) and clickjacking attacks.
apache
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
# A basic CSP, customize as needed
Header set Content-Security-Policy "default-src 'self';"
Step 6: Validate and Restart Apache
After making these changes, it’s crucial to check your Apache configuration for syntax errors.
sudo apachectl configtest
If you see Syntax OK, you are clear to apply the changes by restarting the Apache service.
sudo systemctl restart httpd
Finally, verify your new configuration using an external tool. The Qualys SSL Labs’ SSL Server Test is the industry standard. Simply enter your domain name, and it will provide a detailed report and a security grade from A+ to F. Your goal should be to achieve an A or A+ rating. This test will confirm if you have successfully disabled weak protocols and ciphers.
Source: https://infotechys.com/secure-your-apache-web-server-on-rhel-9/
