SSL

Für SSL Konfigurationen für verschiedene Server empfehlen wir den

moz://a SSL Configuration Generator

Ergänzend hierzu haben wir folgende Hinweise:

  • Globale SSL Einstellungen sollten in eine dedizierte Datei (bspw /etc/apache2/conf-available/ssl.conf)
  • Globale Sicherheits-Einstellung (u.a. für Header) sollten in einer dedizierten Datei gesetzt werden (/etc/apache2/conf-available/security.conf)
  • Domain-/Host-spezifische Einstellung in der jeweileigen site config

Beispiele:

# File: /etc/apache2/conf-available/security.conf
# add or activate the following
# activate with `a2enconf security.conf`
# requires mod_headers
ServerTokens OS
ServerSignature On
TraceEnable Off
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options sameorigin
Header always set X-Frame-Options DENY
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin"
Header always set Content-Security-Policy "default-src 'self';"



# File: /etc/apache2/conf-available/ssl.conf
# activate with `a2enconf ssl` 
# requires mod_ssl
<IfModule mod_ssl.c>
        SSLProtocol -all +TLSv1.2 +TLSv1.3 
        SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder off
        SSLSessionTickets off
        SSLCompression off
        SSLUseStapling on
        SSLStaplingCache "shmcb:logs/stapling-cache(32768)"
</IfModule>


# File: /etc/apache2/sites-available/default-ssl-site.conf
# INCOMPLETE!
# enable with `a2ensite default-ssl-site`
# also see moz://a ssl configurator
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1
</VirtualHost>