Letsencrypt: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
/etc/apache2/vhosts.d/01_default_ssl_namebased_vhost.conf | |||
<pre> | |||
<IfDefine SSL> | |||
<IfModule ssl_module> | |||
# see bug #178966 why this is in here | |||
# When we also provide SSL we have to listen to the HTTPS port | |||
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two | |||
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" | |||
Listen 443 | |||
# OCSP stapling | |||
SSLStaplingCache shmcb:/run/ocsp(128000) | |||
</IfModule> | |||
</IfDefine> | |||
</pre> | |||
/etc/apache2/vhosts.d/ssl_security.include | /etc/apache2/vhosts.d/ssl_security.include | ||
| Line 15: | Line 31: | ||
# 180 days | # 180 days | ||
Header always set Strict-Transport-Security "max-age=15552000" | Header always set Strict-Transport-Security "max-age=15552000" | ||
# Content-Security-Policy | |||
Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src * data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src 'self' data: https://fonts.gstatic.com; child-src 'self' https://www.youtube.com" | |||
# X-Frame-Options | |||
Header always set X-Frame-Options "SAMEORIGIN" | |||
# X-XSS-Protection | |||
Header always set X-Xss-Protection "1; mode=block" | |||
# X-Content-Type-Options | |||
Header always set X-Content-Type-Options "nosniff" | |||
# Referrer-Policy | |||
Header always set Referrer-Policy "strict-origin-when-cross-origin" | |||
# Expect-CT (30 days) | |||
Header always set Expect-CT "enforce; max-age=2592000" | |||
# Let's Encrypt (webroot) | # Let's Encrypt (webroot) | ||
| Line 22: | Line 56: | ||
</LocationMatch> | </LocationMatch> | ||
</IfModule> | </IfModule> | ||
</pre> | |||
/etc/apache2/vhosts.d/subdomain.example.com | |||
<pre> | |||
[...] | |||
SSLEngine On | |||
SSLCertificateFile /etc/letsencrypt/live/subdomain.example.com/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.example.com/privkey.pem | |||
# SSL security configuration | |||
Include /etc/apache2/vhosts.d/ssl_security.include | |||
</VirtualHost> | |||
</pre> | </pre> | ||
== cronjob (first day every month at 12:00AM) == | == cronjob (first day every month at 12:00AM) == | ||
/etc/cron.d/ | /etc/cron.d/certbot | ||
<pre> | <pre> | ||
MAILTO="mail@example.com" | MAILTO="mail@example.com" | ||
0 0 1 * * | 0 0 1 * * root certbot certonly --email "mail.example.com" --webroot -w /var/www/subdomain.example.com/htdocs -d subdomain.example.com --renew-by-default --noninteractive | ||
0 1 1 * * root /etc/init.d/apache2 reload | |||
0 1 1 * * root /etc/init.d/murmur restart | |||
</pre> | </pre> | ||
Latest revision as of 10:32, 23 May 2017
/etc/apache2/vhosts.d/01_default_ssl_namebased_vhost.conf
<IfDefine SSL> <IfModule ssl_module> # see bug #178966 why this is in here # When we also provide SSL we have to listen to the HTTPS port # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" Listen 443 # OCSP stapling SSLStaplingCache shmcb:/run/ocsp(128000) </IfModule> </IfDefine>
/etc/apache2/vhosts.d/ssl_security.include
# Forward Secrecy
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
# OCSP stapling
SSLUseStapling on
# Strict Transport Security (HSTS)
# 180 days
Header always set Strict-Transport-Security "max-age=15552000"
# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src * data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src 'self' data: https://fonts.gstatic.com; child-src 'self' https://www.youtube.com"
# X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
# X-XSS-Protection
Header always set X-Xss-Protection "1; mode=block"
# X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
# Referrer-Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Expect-CT (30 days)
Header always set Expect-CT "enforce; max-age=2592000"
# Let's Encrypt (webroot)
<IfModule mod_headers.c>
<LocationMatch "/.well-known/acme-challenge/*">
Header set Content-Type "application/jose+json"
</LocationMatch>
</IfModule>
/etc/apache2/vhosts.d/subdomain.example.com
[...]
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/subdomain.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.example.com/privkey.pem
# SSL security configuration
Include /etc/apache2/vhosts.d/ssl_security.include
</VirtualHost>
cronjob (first day every month at 12:00AM)
/etc/cron.d/certbot
MAILTO="mail@example.com" 0 0 1 * * root certbot certonly --email "mail.example.com" --webroot -w /var/www/subdomain.example.com/htdocs -d subdomain.example.com --renew-by-default --noninteractive 0 1 1 * * root /etc/init.d/apache2 reload 0 1 1 * * root /etc/init.d/murmur restart