From 7df05eacad9b5799e451cc4bfe0adff97755d65e Mon Sep 17 00:00:00 2001 From: TabTwo Date: Sat, 18 Jan 2014 21:50:40 +0100 Subject: [PATCH 1/4] Remove NameVirtualHost for Apache 2.4 The NameVirtualHost directive no longer has any effect, other than to emit a warning. Any address/port combination appearing in multiple virtual hosts is implicitly treated as a name-based virtual host. See http://httpd.apache.org/docs/current/upgrading.html --- configs/apache2.4/https-hsts.conf | 61 +++++++++++++++++++ configs/apache2.4/https-redirect-rewrite.conf | 37 +++++++++++ configs/apache2.4/https-redirect.conf | 23 +++++++ 3 files changed, 121 insertions(+) create mode 100644 configs/apache2.4/https-hsts.conf create mode 100644 configs/apache2.4/https-redirect-rewrite.conf create mode 100644 configs/apache2.4/https-redirect.conf diff --git a/configs/apache2.4/https-hsts.conf b/configs/apache2.4/https-hsts.conf new file mode 100644 index 0000000..f604230 --- /dev/null +++ b/configs/apache2.4/https-hsts.conf @@ -0,0 +1,61 @@ +# +# This is an example of a medium security, highly compatible SSLv3 and TLSv1 +# enabled HTTPS server. The server prefers modes that provide perfect forward +# secrecy but does not require it. Anonymous cipher modes are disabled. This +# configuation also includes the HSTS header to ensure that users do not +# accidentally connect to an insecure HTTP service after their first visit. The +# HSTS header is set to expire after six earth months. +# +# Supported Server Cipher(s): +# Accepted SSLv3 256 bits DHE-RSA-AES256-SHA +# Accepted SSLv3 256 bits AES256-SHA +# Accepted SSLv3 128 bits DHE-RSA-AES128-SHA +# Accepted SSLv3 128 bits AES128-SHA +# Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA +# Accepted SSLv3 168 bits DES-CBC3-SHA +# Accepted TLSv1 256 bits DHE-RSA-AES256-SHA +# Accepted TLSv1 256 bits AES256-SHA +# Accepted TLSv1 128 bits DHE-RSA-AES128-SHA +# Accepted TLSv1 128 bits AES128-SHA +# Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA +# Accepted TLSv1 168 bits DES-CBC3-SHA +# +# Prefered Server Cipher(s): +# SSLv3 256 bits DHE-RSA-AES256-SHA +# TLSv1 256 bits DHE-RSA-AES256-SHA +# +# This configuration requires mod_headers, mod_ssl, it binds to TCP port 443, it only +# logs errors, and disables the server signature. +# + + + + ServerAdmin webmaster@example.com + ServerName www.example.com + ServerAlias wiki.example.com example.com + + SSLEngine on + SSLCertificateFile /etc/apache2/ssl/www.example.com.crt + SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key + + SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH + SSLHonorCipherOrder on + SSLCompression off + + # Add six earth month HSTS header for all users... + Header add Strict-Transport-Security "max-age=15768000" + # If you want to protect all subdomains, use the following header + # Strict-Transport-Security: max-age=15768000 ; includeSubDomains + + DocumentRoot /var/www/https-root/ + + ErrorLog /var/log/apache2/https-error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + ServerSignature Off + + diff --git a/configs/apache2.4/https-redirect-rewrite.conf b/configs/apache2.4/https-redirect-rewrite.conf new file mode 100644 index 0000000..b6731e8 --- /dev/null +++ b/configs/apache2.4/https-redirect-rewrite.conf @@ -0,0 +1,37 @@ +# +# This is an example of how to redirect any normal HTTP connections on port +# 80 of multiple hosts to the same host, keeping the subdomain, path and +# parameters part of the uri but on HTTPS. +# +# It shouldn't be necessary on a new website but is required for a website +# converting from http to https and wanting to keep all previous links +# valid. +# +# Note that mod_rewrite require more computing power than mod_alias and isn't +# always available. But contrary to mod_alias you don't have to create one +# configuration per subdomain. You could use a wilcard ServerName and never +# look at it again in the future knowing that whatever subdomain your user hit +# it will be redirected to https or list all your https-available subdomains +# in the ServerAlias. +# +# This configuration requires mod_rewrite, it only logs errors, and +# disables the server signature. +# + + + + ServerAdmin webmaster@example.com + ServerName example.com + ServerAlias wiki.example.com www.example.com *.users.example.com + + RewriteEngine On + RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent] + + ErrorLog /var/log/apache2/https-redirect-error.log + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + ServerSignature Off + + diff --git a/configs/apache2.4/https-redirect.conf b/configs/apache2.4/https-redirect.conf new file mode 100644 index 0000000..a8aafde --- /dev/null +++ b/configs/apache2.4/https-redirect.conf @@ -0,0 +1,23 @@ +# +# This is an example of how to redirect any normal HTTP connections on port 80 +# to https://www.example.com/ +# +# This configuration requires mod_redirect, it only logs errors, and disables +# the server signature. +# + + + + ServerAdmin webmaster@example.com + ServerName example.com + ServerAlias wiki.example.com www.example.com + RedirectPermanent / https://www.example.com/ + + ErrorLog /var/log/apache2/https-redirect-error.log + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + ServerSignature Off + + From eca47de61764e50896cafa9547ac2d209e1cc20e Mon Sep 17 00:00:00 2001 From: TabTwo Date: Sat, 18 Jan 2014 22:01:50 +0100 Subject: [PATCH 2/4] Add SSLCertificateChainFile --- configs/apache2.4/https-hsts.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/apache2.4/https-hsts.conf b/configs/apache2.4/https-hsts.conf index f604230..b76a82a 100644 --- a/configs/apache2.4/https-hsts.conf +++ b/configs/apache2.4/https-hsts.conf @@ -37,6 +37,7 @@ SSLEngine on SSLCertificateFile /etc/apache2/ssl/www.example.com.crt SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key + SSLCertificateChainFile /etc/apache2/ssl/cert-bundle.crt SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH From 9f175c436b83de4fdd812ea6a4099d7868b821ee Mon Sep 17 00:00:00 2001 From: TabTwo Date: Mon, 20 Jan 2014 21:05:29 +0100 Subject: [PATCH 3/4] Added OSCP-Stapling see http://en.wikipedia.org/wiki/OCSP_stapling --- configs/apache2.4/conf-available/oscp-stapling.conf | 4 ++++ configs/apache2.4/{ => sites-available}/https-hsts.conf | 0 .../{ => sites-available}/https-redirect-rewrite.conf | 0 configs/apache2.4/{ => sites-available}/https-redirect.conf | 0 4 files changed, 4 insertions(+) create mode 100644 configs/apache2.4/conf-available/oscp-stapling.conf rename configs/apache2.4/{ => sites-available}/https-hsts.conf (100%) rename configs/apache2.4/{ => sites-available}/https-redirect-rewrite.conf (100%) rename configs/apache2.4/{ => sites-available}/https-redirect.conf (100%) diff --git a/configs/apache2.4/conf-available/oscp-stapling.conf b/configs/apache2.4/conf-available/oscp-stapling.conf new file mode 100644 index 0000000..c6f2499 --- /dev/null +++ b/configs/apache2.4/conf-available/oscp-stapling.conf @@ -0,0 +1,4 @@ +SSLUseStapling on +SSLStaplingResponderTimeout 5 +SSLStaplingReturnResponderErrors off +SSLStaplingCache shmcb:/var/run/ocsp(128000) \ No newline at end of file diff --git a/configs/apache2.4/https-hsts.conf b/configs/apache2.4/sites-available/https-hsts.conf similarity index 100% rename from configs/apache2.4/https-hsts.conf rename to configs/apache2.4/sites-available/https-hsts.conf diff --git a/configs/apache2.4/https-redirect-rewrite.conf b/configs/apache2.4/sites-available/https-redirect-rewrite.conf similarity index 100% rename from configs/apache2.4/https-redirect-rewrite.conf rename to configs/apache2.4/sites-available/https-redirect-rewrite.conf diff --git a/configs/apache2.4/https-redirect.conf b/configs/apache2.4/sites-available/https-redirect.conf similarity index 100% rename from configs/apache2.4/https-redirect.conf rename to configs/apache2.4/sites-available/https-redirect.conf From 3e734d0a205dded63fa1a09b8f5696025bdb9575 Mon Sep 17 00:00:00 2001 From: "Ralph J.Mayer" Date: Wed, 22 Jan 2014 12:05:33 +0100 Subject: [PATCH 4/4] Remove SSLv3 Yes, Windows XP is not supported anymore --- configs/apache2.4/sites-available/https-hsts.conf | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/configs/apache2.4/sites-available/https-hsts.conf b/configs/apache2.4/sites-available/https-hsts.conf index b76a82a..a990016 100644 --- a/configs/apache2.4/sites-available/https-hsts.conf +++ b/configs/apache2.4/sites-available/https-hsts.conf @@ -7,12 +7,6 @@ # HSTS header is set to expire after six earth months. # # Supported Server Cipher(s): -# Accepted SSLv3 256 bits DHE-RSA-AES256-SHA -# Accepted SSLv3 256 bits AES256-SHA -# Accepted SSLv3 128 bits DHE-RSA-AES128-SHA -# Accepted SSLv3 128 bits AES128-SHA -# Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA -# Accepted SSLv3 168 bits DES-CBC3-SHA # Accepted TLSv1 256 bits DHE-RSA-AES256-SHA # Accepted TLSv1 256 bits AES256-SHA # Accepted TLSv1 128 bits DHE-RSA-AES128-SHA @@ -21,7 +15,6 @@ # Accepted TLSv1 168 bits DES-CBC3-SHA # # Prefered Server Cipher(s): -# SSLv3 256 bits DHE-RSA-AES256-SHA # TLSv1 256 bits DHE-RSA-AES256-SHA # # This configuration requires mod_headers, mod_ssl, it binds to TCP port 443, it only @@ -39,7 +32,7 @@ SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key SSLCertificateChainFile /etc/apache2/ssl/cert-bundle.crt - SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH SSLHonorCipherOrder on SSLCompression off