Apache2: SSL / HTTPS Settings

17. Dezember 2016 / apache2

---

×Info: This post is older than 2 years! Displayed information may be outdated!

Möglichst robuste SSL Einstellungen in Apache Vhost einrichten.

Das eigene SSL-Setup kann bei Qualys SSL Labs schnell online checken lassen. A+ ist die beste Score.

Non-SSL Vhost

# redirect http to https
<IfModule mod_rewrite.c>
      RewriteEngine On

      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>

SSL Vhost

# redirect non-www to www
<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

# add this at the end of your ssl-config
</VirtualHost>
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    Header add Strict-Transport-Security "max-age=15768000"
    
    SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
</VirtualHost>

Quelle: Applied Crypto Hardening (PDF) auf bettercrypto.org