Apache TLS/SSL with SSLFIPS

Feature description

Most cases for DoD will require Apache to run in FIPS mod with TLS/SSL. The image did not have mod_ssl added into /usr/local/apache2/modules

Currently, the image will not run by default, since it attempts to bind to port 80, rather than 8080. The default httpd.conf file does not include the httpd-ssl.conf file in extras, so even though the README says to run the image with port 8080 and 8443, these ports are not part of the configuration for the image by default. This can be corrected by volume mounting new conf files.

Use cases

Running with SSL is a common desire for Apache. There are CAT 2 STIG findings if the ssl_module is missing: V-214278, V-214230

Benefits

Provides an image that is able to meet SSL requirements for Apache. Once SSL and FIPS mods is available in the image, it will largely be the responsibility of the users to make sure they have STIG compliant configurations.

Requirements

STIG will want the following settings in the SSL conf file: SSLProtocol -ALL +TLSv1.2

To enable FIPS you must have a FIPS capable OpenSSL (which supports the FIPS_mode flag) installed on your system.

Links / references

(List of links or references that support this feature)

Definition of Done

Apache can run TLS/SSL
Default SSL conf file uses SSLProtocol -ALL +TLSv1.2
When TLS/SSL is configured Apache SSLFIPS is on

/cc @ironbank-notifications/feature

Edited Feb 23, 2021 by Ghost User

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information