Difference between revisions of "Template:Securevhost.conf"

From EPrints Documentation
Jump to: navigation, search
m
(Added turning off SSLCompression and SSLSessionTickets for better security)
 
(5 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
  <VirtualHost *:443>
 
  <VirtualHost *:443>
 
   
 
   
   ServerName your.dnshostname.org:443
+
   ServerName YOUR-REPOSITORY-DOMAIN:443
 
   
 
   
 
   ErrorLog logs/ssl_error_log
 
   ErrorLog logs/ssl_error_log
Line 9: Line 9:
 
   
 
   
 
   SSLEngine on
 
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
+
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
   SSLHonorCipherOrder on
 
   SSLHonorCipherOrder on
   SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
+
  SSLCompression off
 +
  SSLSessionTickets off
 +
   SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
 
   
 
   
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.crt
+
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.key
+
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/your.dnshostname.org.ca-bundle
+
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
 
   
 
   
 
   SetEnvIf User-Agent ".*MSIE.*" \
 
   SetEnvIf User-Agent ".*MSIE.*" \

Latest revision as of 15:33, 16 October 2025

<VirtualHost *:443>

  ServerName YOUR-REPOSITORY-DOMAIN:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder on
  SSLCompression off
  SSLSessionTickets off
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

  SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
  SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
  SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf

  PerlTransHandler +EPrints::Apache::Rewrite

</VirtualHost>
Retrieved from ‘https://wiki.eprints.org/w/index.php?title=Template:Securevhost.conf&oldid=16983