The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to permanently store new ssl config

Discussion in 'Security' started by BottyZ, Aug 3, 2015.

  1. BottyZ

    BottyZ Member

    Joined:
    Jul 31, 2015
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nottingham UK
    cPanel Access Level:
    Root Administrator
    Hi all,

    I'm quite unexperienced with apache and whm but I have my first VPS to learn on and I'm trying to add some ssl changes in the http.conf file in order to improve its security (using Qualys SSL Server Test as my testing method). My employer wants to run their website from this VPS and it'll be the only site on here. They have an ecommerce store where they're trying to achieve a basic level of PCI DSS compliance.
    I've looked around and read up on a number of sites about this and I've seen a number of sources state that adding the following to the http.conf is recommended:

    Code:
    SSLHonorCipherOrder on          # Ciphers specified by the server take precedence
    SSLInsecureRenegotiation off    # Mitigates CVE-2009-3555
    SSLCompression off              # Mitigates CRIME and BEAST attacks (Apache 2.4 only)
    I've tried directly editing the http.conf and following the instructions within the file to see if the edits are preserved on rebuild (/usr/local/cpanel/bin/apache_conf_distiller --update followed by /usr/local/cpanel/bin/build_apache_conf) and unfortunately the edits aren't preserved.

    Can I add the above code into the pre or post include files? If so, which would be best? Or is there a better way of incorporating these edits? I've seen in the http.conf that you should add the custom directives to respective template files, but which files would the above need to be added to specifically?

    Any help that can be given would be much appreciated. Thank you.

    A little further info on the VPS I'm using if you need it:
    Cent OS 6.6 (64 Bit)
    XenPV 3CPU 3GB RAM (& 3GB Burst)
    Apache 2.4.12
    EasyApache 3.30.4
    CPanel 11.50.0 (Build 29)
     
  2. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hello,

    You can add the custom configuration in the template provided in this path:
    Code:
    /var/cpanel/templates/apache2
    I guess it will be in ssl_vhost.local (I'm not really sure).

    Regards,
     
  3. BottyZ

    BottyZ Member

    Joined:
    Jul 31, 2015
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nottingham UK
    cPanel Access Level:
    Root Administrator
    Hi ModServ,

    Thanks for the reply, I've checked that directory and its empty. However I'm using apache 2.4.12 and there is a different folder called apache2_4 with a ssl_vhost.default in it, but it contains a lot of if statements and not a lot of anything that I consider replaceable. I can see some of the ssl directives in the main.default file in there though, so I would imagine this to be the file I need to amend?

    I take it I would add my custom code to this file and then restart apache? Then it would appear in the usual http.conf?
    I'm reluctant to edit the file before making sure its correct as I don't want to have to rekey my ssl certificate again, which happened twice yesterday whilst working on this (basically told me the certificate was revoked in the browser when apache was restarted).

    I did add the directives to the pre_main includes file, but I'm not sure if this actually worked as BEAST is still not mitigated server side.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,667
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You should be able to add these values to the "Pre Main Include" field in "WHM Home » Service Configuration » Apache Configuration » Include Editor". Does this not correctly configure the values?

    Thank you.
     
  5. BottyZ

    BottyZ Member

    Joined:
    Jul 31, 2015
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nottingham UK
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Unfortunately it didn't seem to work with the includes file.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,667
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on this? For instance, do the PCI tests still fail or are you simply checking the Apache configuration file and excepting to see the entries?

    Thank you.
     
Loading...

Share This Page