iankelling.org
/
git
/
basic-https-conf
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
ebb14a4
)
update ssl settings
author
Ian Kelling
<iank@fsf.org>
Tue, 7 Apr 2020 02:45:27 +0000
(22:45 -0400)
committer
Ian Kelling
<iank@fsf.org>
Tue, 7 Apr 2020 02:45:27 +0000
(22:45 -0400)
web-conf
patch
|
blob
|
history
diff --git
a/web-conf
b/web-conf
index fddb5375b45a53fe0301444234bf79ba764cd772..e682259a053bebbdc5fe3a59a8f14279a3b1a36b 100755
(executable)
--- a/
web-conf
+++ b/
web-conf
@@
-241,26
+241,19
@@
EOF
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLEngine on
# Intermediate configuration, tweak to your needs
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-SSLHonorCipherOrder o
n
-SSL
Compression
off
+SSLProtocol all -SSLv2 -SSLv3
-TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-
AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder o
ff
+SSL
SessionTickets
off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
-
-#CustomLog /var/log/apache2/access.log vhost_combined
-#LogLevel warn
-#ErrorLog /var/log/apache2/error.log
-
-# Always ensure Cookies have "Secure" set (JAH 2012/1)
-#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
EOF
EOF
- upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+ upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/
_internal/tls_configs/current-
options-ssl-apache.conf
if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
cat <<EOF
WARNING!!!!!!!!!
if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
cat <<EOF
WARNING!!!!!!!!!