[ADDED] Ability to enable certain security options

Reported by: RickoT
Created: 7 months 17 days ago
Last reply: 7 months 16 days ago
Views: 293

Thank you for the security tip.
Why not, we can do it as an option or enabled by default.


If you are interested, I fine tuned the changes I made to my config files to get an A+ on SSLabs site tester:

Domain level Apache.conf:

#Enforce HSTS (requires mod_headers)
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;"

# Enable only TLSv1.2
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Use only high grade CipherSuites, disable low grade/vulnerable suites.

These changes disable TLSv1 and TLSv2 as well as configure apache to use only high quality CipherSuites and leaving out suites that have vulnerabilities or are low encryption


# Enforce highest key exchange grade
   SSLOpenSSLConfCmd ECDHParameters Automatic
   SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1

I know you said you didn't want to mainipulate original apache files, but I just wanted to provide this for you

Update: For the last item (ssl.conf) those 2 lines can be added to the :443 virtualhost with the same result, modifying the ssl.conf file is not necessary

Join our Discord server
Write a reply Edit a reply