Professional Documents
Culture Documents
Con Figura Ç Ão Apache
Con Figura Ç Ão Apache
Con Figura Ç Ão Apache
com
ec2-52-67-1-167.sa-east-1.compute.amazonaws.com
52.67.1.167
https://freedns.afraid.org/news/
Permission
root 644 for certificate file
root 400 for private key file
~$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
Run Apache from non-privileged account
By default Apache2 on Debian is running under non-privileged account (wwwdata).
To verify it run:
ps -ef | grep apache2
nano /etc/apache2/apache2.conf
chown -R www-data:www-data /etc/apache2
????????
</VirtualHost>
HTTPS porta 443:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key
-out /etc/ssl/certs/apache-selfsigned.crt
nano /etc/apache2/conf-available/ssl-params.conf
cd /etc/apache2/
-rw-r--r-- 1 root root 3846 Nov 30 00:27 apache2.conf
drwxr-xr-x 2 root root 4096 Nov 29 23:40 conf-available
drwxr-xr-x 2 root root 4096 Nov 29 23:53 conf-enabled
-rw-r--r-- 1 root root 1782 Mar 19 2016 envvars
-rw-r--r-- 1 root root 31063 Mar 19 2016 magic
drwxr-xr-x 2 root root 12288 Nov 29 22:51 mods-available
drwxr-xr-x 2 root root 4096 Nov 29 23:52 mods-enabled
-rw-r--r-- 1 root root 320 Mar 19 2016 ports.conf
drwxr-xr-x 2 root root 4096 Dec 4 11:59 sites-available
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
#SSLCertificateChainFile /path/to/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
# modern configuration, tweak to your needs
SSLProtocol
-SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
# -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCMSHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCMSHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSAAES128-SHA256:ECDHE-RSA-AES128-SHA256
#ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCMSHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHERSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCMSHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128SHA:HIGH:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!aNULL:!eNULL:!
EXPORT:!DES:!MD5:!PSK:!RC4
#HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 (Mandatory discards)
SSLOpenSSLConfCmd Options -SessionTicket
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
#SSLOpenSSLConfCmd ECDHParameters secp384r1
#SSLOpenSSLConfCmd Curves
#secp521r1:secp384r1:secp256r1:secp256r1:prime256v1:prime192v1
#SSLFIPS on
SSLHonorCipherOrder on
SSLCompression
off
SSLSessionTickets
off
# Headers HTTP de segurana
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# OCSP Stapling, httpd >= 2.3.3
SSLUseStapling
on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache
shmcb:/var/run/ocsp(128000)
</IfModule>
apache2ctl configtest
systemctl restart apache2
service apache2 restart
apache2ctl configtest && sudo service apache2 restart
https://mozilla.github.io/server-side-tls/ssl-config-generator/ (Modern)
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile /path/to/private/key
# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile /path/to/ca_certs_for_client_authentication
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
...
</VirtualHost>
# modern configuration, tweak to your needs
SSLProtocol
all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCMSHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCMSHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSAAES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression
off
SSLSessionTickets
off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling
on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache
shmcb:/var/run/ocsp(128000)
https://cipherli.st/
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off