Letsencrypt: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
/etc/apache2/vhosts.d/ssl_security.include | /etc/apache2/vhosts.d/ssl_security.include | ||
<pre> | <pre> | ||
# Forward Secrecy | |||
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy | |||
SSLProtocol all -SSLv2 -SSLv3 | |||
SSLHonorCipherOrder on | |||
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" | |||
# OCSP stapling | |||
SSLUseStapling on | |||
# Strict Transport Security (HSTS) | |||
# 180 days | |||
Header always set Strict-Transport-Security "max-age=15552000" | |||
# Let's Encrypt (webroot) | # Let's Encrypt (webroot) | ||
<IfModule mod_headers.c> | <IfModule mod_headers.c> | ||
Revision as of 17:26, 21 April 2016
Webroot
/etc/apache2/vhosts.d/ssl_security.include
# Forward Secrecy
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
# OCSP stapling
SSLUseStapling on
# Strict Transport Security (HSTS)
# 180 days
Header always set Strict-Transport-Security "max-age=15552000"
# Let's Encrypt (webroot)
<IfModule mod_headers.c>
<LocationMatch "/.well-known/acme-challenge/*">
Header set Content-Type "application/jose+json"
</LocationMatch>
</IfModule>
cronjob (first day every month at 12:00AM)
/etc/cron.d/letsencrypt
MAILTO="mail@example.com" 0 0 1 * * letsencrypt certonly --webroot -w /var/www/q.deltaquadrant.org/htdocs -d q.deltaquadrant.org --renew-by-default