For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > Apache > 2.4 > ssl.conf

ssl.conf

Created by dave. Last edited by dave, 165 days ago. Viewed 288 times. #1
[edit] [rdf]
labels
attachments
(2019-03-13)

Sample ssl.conf for Apache 2.4.34 on Fedora 28

Coments and shit stripped out

This config gives me an A from Qualys SSL Labs

Listen 0.0.0.0:443 https
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCertificateFile /etc/ssl/certs/wiki.xdroop.com/wiki.xdroop.com.crt
SSLCertificateKeyFile /etc/ssl/certs/wiki.xdroop.com/wiki.xdroop.com.key
SSLCertificateChainFile /etc/ssl/certs/wiki.xdroop.com/wiki.xdroop.com.ca-bundle
<Files ~ ".(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" 
         nokeepalive ssl-unclean-shutdown 
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log 
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt