Loading

Apache - HTTP2 & SSLCiphe

  1. # OCSP Stapling, only in httpd 2.3.3 and later
  2. SSLUseStapling          on
  3. SSLStaplingResponderTimeout 5
  4. SSLStaplingReturnResponderErrors off
  5. SSLStaplingCache        shmcb:/var/run/ocsp(128000)
  6.  
  7. SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
  8. SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  9. SSLHonorCipherOrder     on
  10. SSLCompression          off
  11. SSLSessionTickets       off
  12.  
  13. # HTTP2
  14. Protocols h2 h2c http/1.1
  15. H2Push          on
  16. H2PushPriority  *                       after
  17. H2PushPriority  text/css                before
  18. H2PushPriority  image/jpeg              after   32
  19. H2PushPriority  image/png               after   32
  20. H2PushPriority  application/javascript  interleaved
  21.  
  22. <VirtualHost *:80>
  23.    ServerName xxx
  24.    ServerAlias  www.xxx
  25.    RedirectPermanent / https://xxx/
  26.    Serversignature off
  27. </VirtualHost>
  28.  
  29. <VirtualHost *:443>
  30.     ...
  31.     SSLEngine on
  32.     SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
  33.     SSLCertificateKeyFile   /path/to/private/key
  34.  
  35.     # Uncomment the following directive when using client certificate authentication
  36.    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication
  37.  
  38.     # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  39.     Header always set Strict-Transport-Security "max-age=15768000"
  40.     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  41.     Header always set X-Frame-Options SAMEORIGIN
  42.     Header always set X-Xss-Protection "1; mode=block"
  43.     Header always set X-Content-Type-Options nosniff
  44.  
  45.   #Header always set Referrer-Policy strict-origin-when-cross-origin
  46.  #Header always set Referrer-Policy origin
  47.  #Header set Content-Security-Policy "default-src 'self';"
  48.  #Header always set X-Frame-Options DENY
  49. # Anti-clickjacking X-Frame-Options header
  50. #<filesMatch "\.(php)$">
  51. #  Header always append X-Frame-Options DENY
  52. #</filesMatch>
  53.  
  54. <Files ~ "^\.ht">
  55. Require all denied
  56. Satisfy all
  57. </Files>
  58.  
  59. RedirectMatch "^/sex/(.*)" "https://contact.echosystem.fr/$1"
  60.  
  61. ErrorDocument 403 /error/
  62. ErrorDocument 404 /error/
  63. ErrorDocument 400 /error/
  64.  
  65. # debug, info, notice, warn, error, crit, alert, emerg.
  66. SetEnvIf Request_URI "^server-status$" dontlog
  67. SetEnvIf Request_URI "^/apc.php$" dontlog
  68. #SetEnvIf Request_URI "^/api/v1/$" dontlog
  69. #SetEnvIf Request_URI "^/rss/i$" dontlog
  70. SetEnvIf Remote_Addr "^127\.0\.0\.1$" local_network
  71.  
  72.  LogLevel  notice
  73.  ErrorLog  ${APACHE_LOG_DIR}/error.log
  74.  CustomLog ${APACHE_LOG_DIR}/access.xxx.log vhost_combined
  75.  CustomLog ${APACHE_LOG_DIR}/access.log  vhost_combined
  76.  
  77. LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
  78. LogFormat "%v %h %l %u %t \"%r\" %>s %b %O \"%{Referer}i\" \"%{User-Agent}i\" %X" vhost_combined
  79. LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  80. LogFormat "%h %l %u %t \"%r\" %>s %O" common
  81. LogFormat "%{Referer}i -> %U" referer
  82. LogFormat "%{User-agent}i" agent
  83.  
  84. </VirtualHost>

Comments

For check the last strong SSLCipherSuite https://mozilla.github.io/server-side-tls/ssl-config-generator/

Erreur32 • 26 Aug 2017, 23:59:56 UTC