(2019-04-08)
Problem
I want https enabled on the apache installed in my RedHat flavor distribution.
Warning
Note date on this snip -- SSL security options may be out of date!
Solution
In /etc/conf.d/ssl remove everything in the <VirtualHost _default_:443> definition and replace it with
<VirtualHost _default_:443># This should net you an A+ rating on the qualsys siteSSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/ssl/certs/myzone/system.myzone.crt
SSLCertificateKeyFile /etc/ssl/certs/myzone/system.myzone.key
SSLCertificateChainFile /etc/ssl/certs/myzone/system.myzone-intermediate.crt
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff#DocumentRoot "/var/www/html"
ServerName my.fqdn.arpa.nameTransferLog logs/ssl_access_log
LogLevel warn<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>BrowserMatch "MSIE [2-5]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost>
In each virtual host that is going to be served through HTTPS, add this block:
# This should net you an A+ rating on the qualsys siteSSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/ssl/certs/myzone/server.myzone.crt
SSLCertificateKeyFile /etc/ssl/certs/myzone/server.myzone.key
SSLCertificateChainFile /etc/ssl/certs/myzone/server.myzone-intermediate.crt
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Note:
- for the VirtualHost, "server.myzone" should be the same value that the same VirtualHost ServerName parameter is set to
- SNI is enabled automatically; different VirtualHosts do not have to share certificate files
- If you only have one VirtualHost, you can do all your site-specific configuration in the default