|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 |
- # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
- #
- # This is the Apache server configuration file providing SSL support.
- # It contains the configuration directives to instruct the server how to
- # serve pages over an https connection. For detailed information about these
- # directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
- #
- # Do NOT simply read the instructions in here without understanding
- # what they do. They're here only as hints or reminders. If you are unsure
- # consult the online docs. You have been warned.
- #
- # Required modules: mod_log_config, mod_setenvif, mod_ssl,
- # socache_shmcb_module (for default value of SSLSessionCache)
-
- #
- # Pseudo Random Number Generator (PRNG):
- # Configure one or more sources to seed the PRNG of the SSL library.
- # The seed data should be of good random quality.
- # WARNING! On some platforms /dev/random blocks if not enough entropy
- # is available. This means you then cannot use the /dev/random device
- # because it would lead to very long connection times (as long as
- # it requires to make more entropy available). But usually those
- # platforms additionally provide a /dev/urandom device which doesn't
- # block. So, if available, use this one instead. Read the mod_ssl User
- # Manual for more details.
- #
- #SSLRandomSeed startup file:/dev/random 512
- #SSLRandomSeed startup file:/dev/urandom 512
- #SSLRandomSeed connect file:/dev/random 512
- #SSLRandomSeed connect file:/dev/urandom 512
-
-
- #
- # When we also provide SSL we have to listen to the
- # standard HTTP port (see above) and to the HTTPS port
- #
- Listen 443
-
- ##
- ## SSL Global Context
- ##
- ## All SSL configuration in this context applies both to
- ## the main server and all SSL-enabled virtual hosts.
- ##
-
- # SSL Cipher Suite:
- # List the ciphers that the client is permitted to negotiate,
- # and that httpd will negotiate as the client of a proxied server.
- # See the OpenSSL documentation for a complete list of ciphers, and
- # ensure these follow appropriate best practices for this deployment.
- # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
- # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
- SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-
- # By the end of 2016, only TLSv1.2 ciphers should remain in use.
- # Older ciphers should be disallowed as soon as possible, while the
- # kRSA ciphers do not offer forward secrecy. These changes inhibit
- # older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
- # non-browser tooling) from successfully connecting.
- #
- # To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
- # those protocols which do not support forward secrecy, replace
- # the SSLCipherSuite and SSLProxyCipherSuite directives above with
- # the following two directives, as soon as practical.
- # SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
- # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
-
- # User agents such as web browsers are not configured for the user's
- # own preference of either security or performance, therefore this
- # must be the prerogative of the web server administrator who manages
- # cpu load versus confidentiality, so enforce the server's cipher order.
- SSLHonorCipherOrder off
-
- SSLSessionTickets off
-
- # SSL Protocol support:
- # List the protocol versions which clients are allowed to connect with.
- # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
- # disabled as quickly as practical. By the end of 2016, only the TLSv1.2
- # protocol or later should remain in use.
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
- # Pass Phrase Dialog:
- # Configure the pass phrase gathering process.
- # The filtering dialog program (`builtin' is an internal
- # terminal dialog) has to provide the pass phrase on stdout.
- SSLPassPhraseDialog builtin
-
- # Inter-Process Session Cache:
- # Configure the SSL Session Cache: First the mechanism
- # to use and second the expiring timeout (in seconds).
- #SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache"
- SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
- SSLSessionCacheTimeout 300
-
- # OCSP Stapling (requires OpenSSL 0.9.8h or later)
- #
- # This feature is disabled by default and requires at least
- # the two directives SSLUseStapling and SSLStaplingCache.
- # Refer to the documentation on OCSP Stapling in the SSL/TLS
- # How-To for more information.
- #
- # Enable stapling for all SSL-enabled servers:
- SSLUseStapling On
-
- # Define a relatively small cache for OCSP Stapling using
- # the same mechanism that is used for the SSL session cache
- # above. If stapling is used with more than a few certificates,
- # the size may need to be increased. (AH01929 will be logged.)
- SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)"
-
- # Seconds before valid OCSP responses are expired from the cache
- SSLStaplingStandardCacheTimeout 3600
-
- # Seconds before invalid OCSP responses are expired from the cache
- SSLStaplingErrorCacheTimeout 600
-
- Protocols h2 h2c http/1.1
-
- ##
- ## SSL Virtual Host Context
- ##
-
- ErrorLog /proc/self/fd/2
- TransferLog /proc/self/fd/1
- ServerAdmin EMAIL
-
- <VirtualHost *:443>
- ServerName admin.FQDN
- Alias /static/ /var/www/html/static/
- <Directory /var/www/html/static>
- Require all granted
- </Directory>
- ProxyPass /static/ !
- ProxyPass / http://backend:8000/
- ProxyPassReverse / http://backend:8000/
- SSLEngine on
- SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
- SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- </VirtualHost>
-
- <VirtualHost *:443>
- ServerName api.FQDN
- Alias /static/ /var/www/html/static/
- <Directory /var/www/html/static>
- Require all granted
- </Directory>
- ProxyPass /static/ !
- ProxyPass / http://backend:8000/api/
- ProxyPassReverse / http://backend:8000/api/
- SSLEngine on
- SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
- SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- </VirtualHost>
-
- <VirtualHost *:443>
- ServerName FQDN
- ServerAlias www.FQDN
-
- ProxyPass /api/ http://backend:8000/api/
- ProxyPassReverse /api/ http://backend:8000/api/
- ProxyPass / http://frontend/
- ProxyPassReverse / http://frontend/
- SSLEngine on
- SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
- SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- </VirtualHost>
|
