robsnider
6/14/2017 - 5:12 PM

Apache Config for SSL from https://mozilla.github.io/server-side-tls/ssl-config-generator/

Apache Config for SSL from https://mozilla.github.io/server-side-tls/ssl-config-generator/

apachessl.md
content_copyfile_download
  • Rendered
  • Source

#apache 2.4.7 | modern profile | OpenSSL 1.0.1f# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

#Have redirect work# Edit the files /etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-available/000-default-le-ssl.conf ###000-default.conf### Add the following:

DocumentRoot /var/www/html
ServerName <serverIpAddress>
<Directory /var/www/html>
  AllowOverride All
</Directory>

###000-default-le-ssl.conf### Add the following:

DocumentRoot /var/www/html
ServerName <serverIpAddress>
<Directory /var/www/html>
  AllowOverride All
</Directory>

#Enable SSL See note below# from https://wiki.apache.org/httpd/RedirectSSL

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs 
   Redirect permanent / https://mysite.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName mysite.example.com
  DocumentRoot /usr/local/apache2/htdocs
  SSLEngine On
 # etc...
</VirtualHost>

Note that this doesn't work, because Redirect drops POST requests in the URL #HTTPS Rewrite# from https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

#Fix FQDN Error# In /etc/apache2/apache2.conf

Change

#ServerName www.example.com:80

to:

  ServerName 127.0.0.1:80

#Speed Up Apache# https://www.jeffgeerling.com/blog/3-small-tweaks-make-apache-fly

https://www.giftofspeed.com/apache-server/

https://zoompf.com/blog/2013/04/top-5-causes

#Documentation# Apache.org