-
Notifications
You must be signed in to change notification settings - Fork 90
/
https-hsts.conf
57 lines (47 loc) · 2.1 KB
/
https-hsts.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#
# This is an example of a medium security, highly compatible TLSv1
# enabled HTTPS server. The server prefers modes that provide perfect forward
# secrecy but does not require it. Anonymous cipher modes are disabled. This
# configuation also includes the HSTS header to ensure that users do not
# accidentally connect to an insecure HTTP service after their first visit. The
# HSTS header is set to expire after six earth months.
#
# Supported Server Cipher(s):
# Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
# Accepted TLSv1 256 bits AES256-SHA
# Accepted TLSv1 256 bits CAMELLIA256-SHA
# Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
# Accepted TLSv1 168 bits DES-CBC3-SHA
# Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
# Accepted TLSv1 128 bits AES128-SHA
# Accepted TLSv1 128 bits CAMELLIA128-SHA
#
# Prefered Server Cipher(s):
# TLSv1 256 bits ECDHE-RSA-AES256-SHA
#
# This configuration requires mod_headers, mod_ssl, it binds to TCP port 443, it only
# logs errors, and disables the server signature.
#
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
ServerAdmin webmaster@example.com
ServerName www.example.com
ServerAlias wiki.example.com example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
SSLHonorCipherOrder on
SSLCompression off
# Add six earth month HSTS header for all users...
Header add Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
DocumentRoot /var/www/https-root/
ErrorLog /var/log/apache2/https-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ServerSignature Off
</VirtualHost>