802
edits
Changes
Apache 2.4.35 - OpenSSL 1.0.2g (view source)
Revision as of 11:05, 24 September 2019
, 11:05, 24 September 2019no edit summary
Below is an SSL Configuration for an Apache webserver (version 2.4.35) and OpenSSL (version 1.0.2g). This configuration was made with the [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator].
Below is an SSL Configuration for an Apache webserver (version 2.4.35) and OpenSSL (version 1.0.2g). This configuration was made with the [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator].
<pre>
# generated 2019-09-10, https://ssl-config.mozilla.org/#server=apache&server-version=2.4.35&config=intermediate&openssl-version=1.0.2g
# requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
</pre>