lamp: enhance SSL security (chacha cypher), and OCSP stapling

nextcloud · Feb 18, 2018 · 8546ea6 · 8546ea6
1 parent f8381f4
commit 8546ea6
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/lamp.sh b/lamp.sh
@@ -53,16 +53,26 @@ install()
   cat >/etc/apache2/conf-available/http2.conf <<EOF
 Protocols h2 h2c http/1.1
 
+# HTTP2 configuration
 H2Push          on
 H2PushPriority  *                       after
 H2PushPriority  text/css                before
 H2PushPriority  image/jpeg              after   32
 H2PushPriority  image/png               after   32
 H2PushPriority  application/javascript  interleaved
 
+# SSL/TLS Configuration
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
-SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
+SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLCompression          off
+SSLSessionTickets       on
+
+# OCSP Stapling
+SSLUseStapling          on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 EOF
 
     cat >> /etc/apache2/apache2.conf <<EOF