Apache2 – How to pass PCI-DSS compliance scan/test on Apache in 2013

Apache 2.2 up to 2.4 need special configuration to be able to pass a PCI-DSS scan. Below is what you need in 2013 to pass a basic PCI-DSS scan on your webserver. Obviously a properly configured SSL certificate helps too. You also need to configure variables in conf.d/security if you are using Debian or Ubuntu.

[apache]

SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM

SSLCompression Off

[/apache]

[apache]
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is ‘Full’ which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to “EMail” to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature Off
ServerSignature Off

#
# Allow TRACE method
#
# Set to “extended” to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
#
TraceEnable Off
#TraceEnable On

[/apache]

Published on: 31 May 2013
Posted by: Sami K.