⧼vector-jumptocontent⧽

Template:Securevhost.conf: Difference between revisions

From EPrints Documentation
Created page with " <VirtualHost *:443> ServerName your.dnshostname.org:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLPro..."
 
Added turning off SSLCompression and SSLSessionTickets for better security
 
(6 intermediate revisions by the same user not shown)
Line 2: Line 2:
  <VirtualHost *:443>
  <VirtualHost *:443>
   
   
   ServerName your.dnshostname.org:443
   ServerName YOUR-REPOSITORY-DOMAIN:443
   
   
   ErrorLog logs/ssl_error_log
   ErrorLog logs/ssl_error_log
Line 9: Line 9:
   
   
   SSLEngine on
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder on
   SSLHonorCipherOrder on
   SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
  SSLCompression off
  SSLSessionTickets off
   SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
   
   
   SSLCertificateFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.crt
   SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
   SSLCertificateKeyFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.key
   SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
   SSLCertificateChainFile /opt/eprints3/archives/REPOID/ssl/your.dnshostname.org.ca-bundle
   SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle
   
   
   SetEnvIf User-Agent ".*MSIE.*" \
   SetEnvIf User-Agent ".*MSIE.*" \
Line 24: Line 26:
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   
   
   Include /opt/eprints3/cfg/apache_ssl/REPOID.conf
   Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf
   
   
   PerlTransHandler +EPrints::Apache::Rewrite
   PerlTransHandler +EPrints::Apache::Rewrite
   
   
  </VirtualHost>
  </VirtualHost>

Latest revision as of 15:33, 16 October 2025

<VirtualHost *:443>

  ServerName YOUR-REPOSITORY-DOMAIN:443

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder on
  SSLCompression off
  SSLSessionTickets off
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

  SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt
  SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key
  SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf

  PerlTransHandler +EPrints::Apache::Rewrite

</VirtualHost>
Retrieved from "https://wiki.ext-9.eprints-hosting.org/w/index.php?title=Template:Securevhost.conf&oldid=16983"