Difference between revisions of "Template:Securevhost.conf"
m |
(Make sure honor cipger and disabled earlier versions of TLS and amend permitted cipher suites.) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
<VirtualHost *:443> | <VirtualHost *:443> | ||
− | ServerName | + | ServerName YOUR-REPOSITORY-DOMAIN:443 |
ErrorLog logs/ssl_error_log | ErrorLog logs/ssl_error_log | ||
Line 8: | Line 8: | ||
LogLevel warn | LogLevel warn | ||
− | + | SSLEngine on | |
− | + | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
− | + | SSLHonorCipherOrder on | |
− | + | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
− | SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/ | + | SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt |
− | SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/ | + | SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key |
− | SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/ | + | SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle |
SetEnvIf User-Agent ".*MSIE.*" \ | SetEnvIf User-Agent ".*MSIE.*" \ |
Latest revision as of 18:00, 16 October 2021
<VirtualHost *:443> ServerName YOUR-REPOSITORY-DOMAIN:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf PerlTransHandler +EPrints::Apache::Rewrite </VirtualHost>