You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

173 lines
7.1 KiB

  1. # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
  2. #
  3. # This is the Apache server configuration file providing SSL support.
  4. # It contains the configuration directives to instruct the server how to
  5. # serve pages over an https connection. For detailed information about these
  6. # directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
  7. #
  8. # Do NOT simply read the instructions in here without understanding
  9. # what they do. They're here only as hints or reminders. If you are unsure
  10. # consult the online docs. You have been warned.
  11. #
  12. # Required modules: mod_log_config, mod_setenvif, mod_ssl,
  13. # socache_shmcb_module (for default value of SSLSessionCache)
  14. #
  15. # Pseudo Random Number Generator (PRNG):
  16. # Configure one or more sources to seed the PRNG of the SSL library.
  17. # The seed data should be of good random quality.
  18. # WARNING! On some platforms /dev/random blocks if not enough entropy
  19. # is available. This means you then cannot use the /dev/random device
  20. # because it would lead to very long connection times (as long as
  21. # it requires to make more entropy available). But usually those
  22. # platforms additionally provide a /dev/urandom device which doesn't
  23. # block. So, if available, use this one instead. Read the mod_ssl User
  24. # Manual for more details.
  25. #
  26. #SSLRandomSeed startup file:/dev/random 512
  27. #SSLRandomSeed startup file:/dev/urandom 512
  28. #SSLRandomSeed connect file:/dev/random 512
  29. #SSLRandomSeed connect file:/dev/urandom 512
  30. #
  31. # When we also provide SSL we have to listen to the
  32. # standard HTTP port (see above) and to the HTTPS port
  33. #
  34. Listen 443
  35. ##
  36. ## SSL Global Context
  37. ##
  38. ## All SSL configuration in this context applies both to
  39. ## the main server and all SSL-enabled virtual hosts.
  40. ##
  41. # SSL Cipher Suite:
  42. # List the ciphers that the client is permitted to negotiate,
  43. # and that httpd will negotiate as the client of a proxied server.
  44. # See the OpenSSL documentation for a complete list of ciphers, and
  45. # ensure these follow appropriate best practices for this deployment.
  46. # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
  47. # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
  48. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  49. SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  50. # By the end of 2016, only TLSv1.2 ciphers should remain in use.
  51. # Older ciphers should be disallowed as soon as possible, while the
  52. # kRSA ciphers do not offer forward secrecy. These changes inhibit
  53. # older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
  54. # non-browser tooling) from successfully connecting.
  55. #
  56. # To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
  57. # those protocols which do not support forward secrecy, replace
  58. # the SSLCipherSuite and SSLProxyCipherSuite directives above with
  59. # the following two directives, as soon as practical.
  60. # SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
  61. # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
  62. # User agents such as web browsers are not configured for the user's
  63. # own preference of either security or performance, therefore this
  64. # must be the prerogative of the web server administrator who manages
  65. # cpu load versus confidentiality, so enforce the server's cipher order.
  66. SSLHonorCipherOrder off
  67. SSLSessionTickets off
  68. # SSL Protocol support:
  69. # List the protocol versions which clients are allowed to connect with.
  70. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
  71. # disabled as quickly as practical. By the end of 2016, only the TLSv1.2
  72. # protocol or later should remain in use.
  73. SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  74. SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
  75. # Pass Phrase Dialog:
  76. # Configure the pass phrase gathering process.
  77. # The filtering dialog program (`builtin' is an internal
  78. # terminal dialog) has to provide the pass phrase on stdout.
  79. SSLPassPhraseDialog builtin
  80. # Inter-Process Session Cache:
  81. # Configure the SSL Session Cache: First the mechanism
  82. # to use and second the expiring timeout (in seconds).
  83. #SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache"
  84. SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
  85. SSLSessionCacheTimeout 300
  86. # OCSP Stapling (requires OpenSSL 0.9.8h or later)
  87. #
  88. # This feature is disabled by default and requires at least
  89. # the two directives SSLUseStapling and SSLStaplingCache.
  90. # Refer to the documentation on OCSP Stapling in the SSL/TLS
  91. # How-To for more information.
  92. #
  93. # Enable stapling for all SSL-enabled servers:
  94. SSLUseStapling On
  95. # Define a relatively small cache for OCSP Stapling using
  96. # the same mechanism that is used for the SSL session cache
  97. # above. If stapling is used with more than a few certificates,
  98. # the size may need to be increased. (AH01929 will be logged.)
  99. SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)"
  100. # Seconds before valid OCSP responses are expired from the cache
  101. SSLStaplingStandardCacheTimeout 3600
  102. # Seconds before invalid OCSP responses are expired from the cache
  103. SSLStaplingErrorCacheTimeout 600
  104. Protocols h2 h2c http/1.1
  105. ##
  106. ## SSL Virtual Host Context
  107. ##
  108. ErrorLog /proc/self/fd/2
  109. TransferLog /proc/self/fd/1
  110. ServerAdmin EMAIL
  111. <VirtualHost *:443>
  112. ServerName admin.FQDN
  113. Alias /static/ /var/www/html/static/
  114. <Directory /var/www/html/static>
  115. Require all granted
  116. </Directory>
  117. ProxyPass /static/ !
  118. ProxyPass / http://backend:8000/
  119. ProxyPassReverse / http://backend:8000/
  120. SSLEngine on
  121. SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
  122. SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
  123. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  124. </VirtualHost>
  125. <VirtualHost *:443>
  126. ServerName api.FQDN
  127. Alias /static/ /var/www/html/static/
  128. <Directory /var/www/html/static>
  129. Require all granted
  130. </Directory>
  131. ProxyPass /static/ !
  132. ProxyPass / http://backend:8000/api/
  133. ProxyPassReverse / http://backend:8000/api/
  134. SSLEngine on
  135. SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
  136. SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
  137. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  138. </VirtualHost>
  139. <VirtualHost *:443>
  140. ServerName FQDN
  141. ServerAlias www.FQDN
  142. ProxyPass /api/ http://backend:8000/api/
  143. ProxyPassReverse /api/ http://backend:8000/api/
  144. ProxyPass / http://frontend/
  145. ProxyPassReverse / http://frontend/
  146. SSLEngine on
  147. SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
  148. SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
  149. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  150. </VirtualHost>