Friday, March 10, 2017

SSL Configuration for Apache


openssl req -new -newkey rsa:2048 -nodes -keyout domainname.key -out domainname.csr

Put below settings in /etc/apache2/sites-enabled/default_ssl and change necessary settings.


< IfModule mod_ssl.c>
< VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
        ServerName domain.com
       
        DocumentRoot /home/ubuntu/folder_name

        <Directory /home/ubuntu/folder_name>
            Options FollowSymLinks
           AllowOverride All
           Require all granted
       </Directory>

        ErrorLog /var/log/apache2/domainname.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/domainname.log combined

        SSLEngine on

        SSLCertificateFile    /etc/ssl/certs/domainname.com.crt
        SSLCertificateKeyFile /etc/ssl/private/domainname.com.key
        SSLCertificateChainFile /etc/ssl/certs/gs_intermediate_ca.crt
        SSLCertificateChainFile /etc/ssl/certs/domainname.com.ca-bundle

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        #   SSL Protocol Adjustments:
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

## For Vulnerability
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS!RC4


< /VirtualHost>
< /IfModule>

No comments:

Post a Comment