Skip to content

Instantly share code, notes, and snippets.

@genio
Last active July 3, 2018 17:27
Show Gist options
  • Save genio/ba1b60b4f74f72896d2c to your computer and use it in GitHub Desktop.
Save genio/ba1b60b4f74f72896d2c to your computer and use it in GitHub Desktop.
apache conf
Listen 443
RewriteEngine on
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# SSLMutex "file:/var/run/ssl_mutex"
# TLSv1.2 only!
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLHonorCipherOrder on
# SSLOpenSSLConfCmd DHParameters "/etc/pki/tls/certs/dhparams.pem"
# Disable TLS Compression
SSLCompression off
# Necessary for Perfect Forward Secrecy (PFS)
SSLSessionTickets off
TraceEnable Off
SSLStrictSNIVHostCheck off
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
RewriteEngine on
# force ssl
RewriteRule ^(/.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
RewriteEngine on
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/example_com_dh.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_com.key
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Do not do public key pinning anymore!
# Header always set Public-Key-Pins "pin-sha256=\"<Your Fingerprint here!!>\"; max-age=5184000"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
DocumentRoot "/var/www/html"
<Directory /var/www/html>
...
</Directory>
</VirtualHost>
@genio
Copy link
Author

genio commented Jun 12, 2015

To get your dhparams.pem file, you run one command

openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 2048

You then create a NEW certificate.

# cp /etc/pki/tls/certs/example_com.crt /etc/pki/tls/certs/example_com_dh.crt
# cat /etc/pki/tls/certs/dhparams.pem >> /etc/pki/tls/certs/example_com_dh.crt

Your DH Params key is now catted onto the end of your regular cert for Apache purposes

@genio
Copy link
Author

genio commented Jun 12, 2015

To get your Public Key Pin base-64 encoded fingerprint, use the command below and replace the Public-Key-Pins header info with the output from this command.

openssl rsa -in /etc/pki/tls/private/example_com_no_pass.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment