Last active
July 3, 2018 17:27
-
-
Save genio/ba1b60b4f74f72896d2c to your computer and use it in GitHub Desktop.
apache conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Listen 443 | |
| RewriteEngine on | |
| AddType application/x-x509-ca-cert .crt | |
| AddType application/x-pkcs7-crl .crl | |
| SSLPassPhraseDialog builtin | |
| SSLSessionCache "shmcb:/var/run/ssl_scache(512000)" | |
| SSLSessionCacheTimeout 300 | |
| # SSLMutex "file:/var/run/ssl_mutex" | |
| # TLSv1.2 only! | |
| SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA | |
| SSLHonorCipherOrder on | |
| # SSLOpenSSLConfCmd DHParameters "/etc/pki/tls/certs/dhparams.pem" | |
| # Disable TLS Compression | |
| SSLCompression off | |
| # Necessary for Perfect Forward Secrecy (PFS) | |
| SSLSessionTickets off | |
| TraceEnable Off | |
| SSLStrictSNIVHostCheck off | |
| <VirtualHost *:80> | |
| ServerName www.example.com | |
| ServerAlias example.com | |
| RewriteEngine on | |
| # force ssl | |
| RewriteRule ^(/.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| ServerName www.example.com | |
| ServerAlias example.com | |
| RewriteEngine on | |
| SSLEngine on | |
| SSLCertificateFile /etc/pki/tls/certs/example_com_dh.crt | |
| SSLCertificateKeyFile /etc/pki/tls/private/example_com.key | |
| SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt | |
| SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | |
| # Do not do public key pinning anymore! | |
| # Header always set Public-Key-Pins "pin-sha256=\"<Your Fingerprint here!!>\"; max-age=5184000" | |
| Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
| DocumentRoot "/var/www/html" | |
| <Directory /var/www/html> | |
| ... | |
| </Directory> | |
| </VirtualHost> |
To get your Public Key Pin base-64 encoded fingerprint, use the command below and replace the Public-Key-Pins header info with the output from this command.
openssl rsa -in /etc/pki/tls/private/example_com_no_pass.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To get your dhparams.pem file, you run one command
You then create a NEW certificate.
Your DH Params key is now catted onto the end of your regular cert for Apache purposes