Optimal secure SSL Cipher Configuration for Apache and Nginx

 

# apache SSLProtocol all -SSLv2 -SSLv3
# RC4 is broken and is not specified in the allowed ciphers, 3DES is used instead for legacy connections, still somewhat secure
SSLHonorCipherOrder on 
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
 
# nginx 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_prefer_server_ciphers on; 
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_ciphers "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES”;

REFERENCES

http://security.stackexchange.com/questions/51680/optimal-web-server-ssl-cipher-suite-configuration

 

Improve MAMP local performance and reduce RAM usage

You might have too many httpd processes running on your system during development.

Screenshot of httpd processes haven taken over the machine.

2015 03 03 03 12 40 PM

 

Objective: Reduce the amount of spare httpd servers that apache will maintain in memory.

Purpose: Since this is for local development purposes it’s not likely that the number of users will exceed 256 clients.

Overview:

These are the internal default configuration for Apache sets its configuration. This section will not exist in your httpd.conf file unless you already created it prior.

<IfModule prefork.c>

StartServers 4
MinSpareServers 3
MaxSpareServers 10
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 10000

</IfModule>

 

Insert/replace the following in httpd.conf – File->Edit Template->Apache->httpd.conf

<IfModule prefork.c>

StartServers       2

MinSpareServers    1

MaxSpareServers   2

ServerLimit      256

MaxClients       256

MaxRequestsPerChild  10000

</IfModule>

 

This will reduce the amount of spare httpd processes in memory and reduce the amounts of threads used by the processor. This will improve your overall system performance, reduce energy and battery usage as well.

LAMP Permissions Ubuntu, Debian

First, you should ensure that your username is included in www-data group. If not, you can add your username as www-data group

sudo adduser user www-data 

user can be changed with your username.

After that, you should change the ownership of /var/www to your username

sudo chown user:www-data -R /var/www 

Next step, you should change permission to 755, not recommend changing permission to 777 for security reason

sudo chmod 0755 -R /var/www
sudo chmod g+s -R /var/www 

Single Line command

sudo chmod 0755 -R /var/www/html/myfolder && sudo chmod g+s -R /var/www/html/myfolder
 

 

 

 

Creds: http://askubuntu.com/questions/162866/correct-permissions-for-var-www-and-wordpress

 For executable files, this means that when the file is executed, it is executed as the group that owns the file, not the group of the user executing the file.

This is useful if you want users to be able to assume the permissions of a particular group just for running one command.

This can represent a security risk when the group security group is more elevated than the user’s group.

Generally, this is safe to use with Apache as it allows the user’s home folder files to be manipulated by the Apache2 group which is the intended behaviour. The Apache2 security group www-data is not considered an elevated group which allows any unsafe operations to already executed programmatically.

In other words, the following would not constitute a security risk as the www folder is already assigned the www-data group.

sudo chmod g+s -R /var/www 

Ubuntu Apache2 permissions

First, you should ensure that your username is included in www-data group. If not, you can add your username as www-data group

sudo adduser yourusername www-data 

yourusername can be changed with your username.

After that, you should change the ownership of /var/www to your username

 

chown -R user:www-data /var/www && find /var/www -type f -exec chmod 0660 {} \; && find /var/www -type d -exec chmod 0770 {} \;