Difference between revisions of "Template:Securevhost.conf"

From EPrints Documentation
Jump to: navigation, search
(Created page with " <VirtualHost *:443> ServerName your.dnshostname.org:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLPro...")
 
(Make sure honor cipger and disabled earlier versions of TLS and amend permitted cipher suites.)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
  <VirtualHost *:443>
 
  <VirtualHost *:443>
 
   
 
   
   ServerName your.dnshostname.org:443
+
   ServerName YOUR-REPOSITORY-DOMAIN:443
 
   
 
   
 
   ErrorLog logs/ssl_error_log
 
   ErrorLog logs/ssl_error_log
Line 8: Line 8:
 
   LogLevel warn
 
   LogLevel warn
 
   
 
   
  SSLEngine on
+
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
+
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder on
+
  SSLHonorCipherOrder on
  SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
+
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 
   
 
   
   SSLCertificateFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.crt
+
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
   SSLCertificateKeyFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.key
+
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
   SSLCertificateChainFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.ca-bundle
+
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
 
   
 
   
 
   SetEnvIf User-Agent ".*MSIE.*" \
 
   SetEnvIf User-Agent ".*MSIE.*" \
Line 24: Line 24:
 
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
   
 
   
   Include /opt/eprints3/cfg/apache_ssl/REPOID.conf
+
   Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf
 
   
 
   
 
   PerlTransHandler +EPrints::Apache::Rewrite
 
   PerlTransHandler +EPrints::Apache::Rewrite
 
   
 
   
 
  </VirtualHost>
 
  </VirtualHost>

Latest revision as of 18:00, 16 October 2021

<VirtualHost *:443>

  ServerName YOUR-REPOSITORY-DOMAIN:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

 SSLEngine on
 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

  SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
  SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
  SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf

  PerlTransHandler +EPrints::Apache::Rewrite

</VirtualHost>