Template:Securevhost.conf: Difference between revisions
Make sure honor cipger and disabled earlier versions of TLS and amend permitted cipher suites. |
Added turning off SSLCompression and SSLSessionTickets for better security |
||
| (One intermediate revision by the same user not shown) | |||
| Line 8: | Line 8: | ||
LogLevel warn | LogLevel warn | ||
SSLEngine on | |||
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |||
SSLHonorCipherOrder on | |||
SSLCompression off | |||
SSLSessionTickets off | |||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 | |||
SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt | SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt | ||
Latest revision as of 15:33, 16 October 2025
<VirtualHost *:443>
ServerName YOUR-REPOSITORY-DOMAIN:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf
PerlTransHandler +EPrints::Apache::Rewrite
</VirtualHost>