HTTPD secure

• https://testbit.eu/apache-sslciphersuite-without-poodle/ [zdroj]
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html [zdroj]

/etc/httpd/conf.d/example.com.conf

<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /data/www/example.com/www
  ServerAdmin admin@example.com
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  # Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
  SSLCompression Off  
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  # Header always set X-Frame-Options SAMEORIGIN
  Header always set X-Frame-Options DENY
  SSLCertificateFile /etc/pki/tls/certs/example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
  SSLCACertificateFile /etc/pki/tls/certs/example.com.pem
  ErrorLog logs/example.com-error_log
  CustomLog logs/example.com-access_log common
  <Directory  "/data/www/example.com/www">
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Mělo by být dosaženo známky bezpečnosti A+.

• https://www.ssllabs.com/ssltest/
• https://testssl.sh/