Last active
July 25, 2025 13:09
-
-
Save githubfoam/6b03a703a29d330141cd6d0c10822dc8 to your computer and use it in GitHub Desktop.
apache cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ========================================================================================================== | |
| #apache 2.4.10 on windows server 2012 data center. | |
| #\apache\conf\extra\httpd-ssl | |
| #The -ALL option disables all SSL/TLS protocols initially. | |
| #The +TLSv1.2 and +TLSv1.3 options then selectively enable the TLS 1.2 and TLS 1.3 protocols. | |
| SSLProtocol -ALL +TLSv1.2 +TLSv1.3 | |
| #this configuration directly specifies that Apache should use TLS 1.2 and TLS 1.3 for secure communications. | |
| #It doesn't explicitly disable any other SSL or TLS versions, but it indicates the preferred versions. | |
| SSLProtocol TLSv1.2 TLSv1.3 | |
| #To disable TLS 1.0 and TLS 1.1, you should modify the SSLProtocol directive. | |
| #You can either use the - syntax to exclude specific versions or use the + syntax to explicitly include versions. | |
| SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3 | |
| #nestart the Apache service (cmd) | |
| net stop httpd & net start httpd | |
| ========================================================================================================== | |
| #apache 2.4.10 on windows server 2012 data center. | |
| #\apache\conf\extra\httpd-ssl | |
| # fix RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA | |
| # SSL Cipher Suite: | |
| # List the ciphers that the client is permitted to negotiate. | |
| # See the mod_ssl documentation for a complete list. | |
| SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 | |
| ========================================================================================================== | |
| #apache 2.4.10 on windows server 2012 data center. | |
| #\apache\conf\extra\httpd-ssl | |
| #LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime: RFC2409/Oakley Group 2 (1024 bits) | |
| Custom DH parameters and an EC curve name for ephemeral keys, can also be added to end of the first file configured using SSLCertificateFile. | |
| This is supported in version 2.4.7 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. | |
| The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, | |
| as they are applied independently of the authentication algorithm type. | |
| https://httpd.apache.org/docs/2.4/mod/mod_ssl.html | |
| \apache\bin>openssl dhparam -out \tmp\dhparams.pem 2048 | |
| WARNING: can't open config file: c:/openssl-1.0.1i-win32/ssl/openssl.cnf | |
| Loading 'screen' into random state - done | |
| Generating DH parameters, 2048 bit long safe prime, generator 2 | |
| This is going to take a long time | |
| edit with notepad dhparams.pem | |
| edit with notepad and add to the end of this file | |
| \apache\conf\ssl.crt | |
| restart apache | |
| services.msc | |
| ========================================================================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment