Difference between revisions of "Template:Securevhost.conf"

From EPrints Documentation
Jump to: navigation, search
m
(Make sure honor cipger and disabled earlier versions of TLS and amend permitted cipher suites.)
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
  <VirtualHost *:443>
 
  <VirtualHost *:443>
 
   
 
   
   ServerName your.dnshostname.org:443
+
   ServerName YOUR-REPOSITORY-DOMAIN:443
 
   
 
   
 
   ErrorLog logs/ssl_error_log
 
   ErrorLog logs/ssl_error_log
Line 8: Line 8:
 
   LogLevel warn
 
   LogLevel warn
 
   
 
   
  SSLEngine on
+
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
+
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder on
+
  SSLHonorCipherOrder on
  SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
+
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 
   
 
   
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.crt
+
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.key
+
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.ca-bundle
+
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
 
   
 
   
 
   SetEnvIf User-Agent ".*MSIE.*" \
 
   SetEnvIf User-Agent ".*MSIE.*" \

Latest revision as of 18:00, 16 October 2021

<VirtualHost *:443>

  ServerName YOUR-REPOSITORY-DOMAIN:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

 SSLEngine on
 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

  SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
  SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
  SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf

  PerlTransHandler +EPrints::Apache::Rewrite

</VirtualHost>