How to enable Public Key Pinning Extension for HTTP (HPKP) on Apache2. HPKP tries to detect MITM attacks with valid certificates. The first time a browser visits a HPKP enabled website, it stores the hash from the public key. For all subsequent TLS connections, the received key against is checked against the stored key.
How to enable HPKP on Apache2?
Calculate the sha256 hash for the public key
In this example I’m using the certificate as a base to extract the public key.
$ openssl x509 -in www_rivy_org.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
How to start using mod_spdy with Apache 2.4 on Ubuntu 14.04. This previous post explains how to build mod_spdy.
mod_spdy is not available for Apache 2.4.7 on Ubuntu 14.04. You can compile it yourself using this post. Or you can download the compiled files here.
Before we start moving files and reconfiguring apache2, we stop it.
$ sudo service apache2 restart
This howto explains what you should do to build mod_spdy with Apache 2.4 on Ubuntu 14.04 ( Trusty Tahr ). You can also download mod_spdy for Ubuntu 14.04 on this page.
Preparing the build environment
rivy@buildhost:~/mod-spdy$ sudo apt-get -y install git g++ apache2 libapr1-dev libaprutil1-dev patch binutils make devscripts
Cloning the 2.4.7 branch
It’s important that we specify the correct branch. In the master branch you can find all code that works for apache 2.4.10. Since Ubuntu 14.04 is still using Apache 2.4.7, make sure to specify that branch.
rivy@buildhost:~/mod-spdy$ git clone -b apache-2.4.7 https://github.com/eousphoros/mod-spdy.git
Once you downloaded the branch, you should be able to change directory to it.
rivy@buildhost:~/mod-spdy$ cd mod-spdy/src