Difference between revisions of "Template:Securevhost.conf"
(Make sure honor cipger and disabled earlier versions of TLS and amend permitted cipher suites.) |
(Added turning off SSLCompression and SSLSessionTickets for better security) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 8: | Line 8: | ||
LogLevel warn | LogLevel warn | ||
| − | + | SSLEngine on | |
| − | + | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| − | + | SSLHonorCipherOrder on | |
| − | + | SSLCompression off | |
| + | SSLSessionTickets off | ||
| + | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 | ||
SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt | SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt | ||
Latest revision as of 15:33, 16 October 2025
<VirtualHost *:443>
ServerName YOUR-REPOSITORY-DOMAIN:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf
PerlTransHandler +EPrints::Apache::Rewrite
</VirtualHost>
