Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Apache configuration #145

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update Apache configuration #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5a9249d
Update Apache configuration
th-certbund Jul 17, 2018
cc77e52
Fix typo
th-certbund Jul 17, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 19 additions & 11 deletions src/configuration/Webservers/Apache/default-ssl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,23 +159,31 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off

# Add six earth month HSTS header for all users...
# "Intermediate" configuration as defined by the Mozilla Foundation's SSL Configuration Generator
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.6&openssl=1.0.1e&hsts=yes&profile=intermediate
# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# "Modern" configuration as defined by the Mozilla Foundation's SSL Configuration Generator
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.18&openssl=1.0.2g&hsts=yes&profile=modern
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
#SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
#SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# Add six earth month HSTS header for all users.
Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# If you want to protect all subdomains, use the following instead.
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
#Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)
# At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'



</VirtualHost>
</IfModule>
6 changes: 3 additions & 3 deletions src/practical_settings/webserver.tex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,18 @@ \subsection{Apache}

\subsubsection{Tested with Versions}
\begin{itemize*}
\item Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e
\item Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e
\item Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
\item Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
\item Apache 2.4.7, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f
\item Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e
\item Apache 2.4.18, Ubuntu 16.04.3 LTS with OpenSSL 1.0.2g
\item Apache 2.4.25, Debian Stretch 9.5 with OpenSSL 1.1.0f
\end{itemize*}

\subsubsection{Settings}
Enabled modules \emph{SSL} and \emph{Headers} are required.

\configfile{default-ssl}{35-35,42-43,52-52,62-62,162-177}{SSL configuration for an Apache vhost}
\configfile{default-ssl}{35-35,42-43,52-52,62-62,162-187}{SSL configuration for an Apache vhost}

\subsubsection{Additional settings}
You might want to redirect everything to \emph{https://} if possible. In Apache
Expand Down