User:Grin/Secure https servers

Running a secure HTTPS / TLS server is not an obvious task nowadays, as there were several attacks on the security frameworks used in web server software and tls implementations. This page tries to offer simple and easy to use config fragments for several webservers. The config fragments should result Qualysⓡ SSLlabs tests to come up from low quality to A or A+, depending on the quality of TLS certificate.

These configs mostly base on the excellent and well updated page of Hynek Schlawack: Hardening Your Web Server’s SSL Ciphers, and the nicely done but a bit outdated Raymee: Strong SSL Security on Apache2.

For a more in-depth guideline see the excellent SSL-and-TLS-Deployment-Best-Practices from Qualys/.

Config examples on the web are numerous, like:

• https://cipherli.st/

Some configs cannot be generalised. These you are suggested to personalise and apply:

• HPKP: Public key pinning

Snippet security.conf:

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:EECDH+AES256:EDH+AES256:EECDH+AES128:EDH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
# older apache may not support EECDH, or EDH, try:
#SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder On
SSLSessionTickets Off
# a2enmod headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
# apache >= 2.4
SSLCompression off 
# for older apache, in vhosts
# <Location /> SetEnv no-gzip </Location>
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# (see also https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)
# apache >= 2.4.8
# $ openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
# SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Use as:

<VirtualHost 10.11.12.13:443>
 ...
 SSLEngine on
 SSLCertificateFile ...
 SSLCertificateKeyFile ...
 Include .../security.conf
 ...

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!MD5:!DSS"
ssl.use-compression = "disable"
setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
    "X-Frame-Options" => "SAMEORIGIN",
    "X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
ssl.ec-curve = "secp384r1"

Snippet security.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 # takes a looong time
ssl_dhparam /etc/ssl/certs/dhparam.pem;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";

ssl_stapling on;
ssl_stapling_verify on;
#resolver <put_your_dns1_ip_here> <put_your_dns2_ip_here> valid=300s;
resolver_timeout 5s;

Usage:

server {
 listen www.example.org:443 ssl;
 ...
 gzip off;
 ssl_certificate ... ;
 ssl_certificate_key ...;
 include .../security.conf;
 location / {
 ...