start > Apache > Enable SSL
(2019-04-08)
In /etc/conf.d/ssl remove everything in the <VirtualHost _default_:443> definition and replace it with
In each virtual host that is going to be served through HTTPS, add this block:Note:
Problem
I want https enabled on the apache installed in my RedHat flavor distribution.Warning
Note date on this snip -- SSL security options may be out of date!Solution
# yum install mod_ssl
<VirtualHost _default_:443># This should net you an A+ rating on the qualsys siteSSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/ssl/certs/myzone/system.myzone.crt
SSLCertificateKeyFile /etc/ssl/certs/myzone/system.myzone.key
SSLCertificateChainFile /etc/ssl/certs/myzone/system.myzone-intermediate.crt
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff#DocumentRoot "/var/www/html"
ServerName my.fqdn.arpa.nameTransferLog logs/ssl_access_log
LogLevel warn<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>BrowserMatch "MSIE [2-5]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost># This should net you an A+ rating on the qualsys siteSSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCertificateFile /etc/ssl/certs/myzone/server.myzone.crt SSLCertificateKeyFile /etc/ssl/certs/myzone/server.myzone.key SSLCertificateChainFile /etc/ssl/certs/myzone/server.myzone-intermediate.crt SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff
- for the VirtualHost, "server.myzone" should be the same value that the same VirtualHost ServerName parameter is set to
- SNI is enabled automatically; different VirtualHosts do not have to share certificate files
- If you only have one VirtualHost, you can do all your site-specific configuration in the default
no comments |
post comment
Virtual Dave Megaplex:
Home Page- This wiki's start page
- Send Feedback To Dave
Logged in Users: (1)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.