Last active
December 20, 2015 14:08
-
-
Save azet/6143635 to your computer and use it in GitHub Desktop.
Perfect Forward Secrecy/TLS Setup with Apache 2.4 / OpenSSL 1.0.1e on Debian Wheezy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### _/IMPORTANT NOTE_/ | |
| ### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| ### i really prefer ruby, python, C, sh, pgsql or whatever. but this was done for a DIY project, so | |
| ### please do not flame on the mariadb and php5 installation, thats not whats important here anyways. | |
| ### | |
| ### if i forgot someting, please drop me a line instantly via: Mail: azet@azet.org (GPG prefered) or | |
| ### via XMPP (OTR prefered): azet@jabber.ccc.de - see also: www.azet.org / https://twitter.com/a_z_e_t | |
| ### | |
| ### as always, of course: this is public domain knowledge. no warranties. | |
| ### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| > uname -a ; lsb_release -a | |
| Linux bakunin 3.3.8-gcg-201305291443 #1 SMP Wed May 29 14:49:59 PDT 2013 x86_64 GNU/Linux | |
| No LSB modules are available. | |
| Distributor ID: Debian | |
| Description: Debian GNU/Linux 7.1 (wheezy) | |
| Release: 7.1 | |
| Codename: wheezy | |
| > sudo su | |
| $ apt-get update ; apt-get upgrade | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| ##+ add sources for mariadb and apache2.4 + | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| $ cat /etc/apt/sources.list | |
| deb http://http.debian.net/debian wheezy main | |
| deb-src http://http.debian.net/debian wheezy main | |
| deb http://security.debian.org/ wheezy/updates main | |
| deb-src http://security.debian.org/ wheezy/updates main | |
| deb http://http.debian.net/debian jessie main | |
| deb-src http://http.debian.net/debian jessie main | |
| # MariaDB 10.0 repository list - created 2013-08-02 20:48 UTC | |
| # http://mariadb.org/mariadb/repositories/ | |
| deb http://mirror3.layerjet.com/mariadb/repo/10.0/debian wheezy main | |
| deb-src http://mirror3.layerjet.com/mariadb/repo/10.0/debian wheezy main | |
| $ apt-get update | |
| $ apt-get install apache2 | |
| $ apt-get install php5-dev php5 php5-mysql php-apc | |
| $ apt-get install mariadb-server | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| ##+ Self Signed for now. Get a proper StartSSL CA! + | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| $ cd /etc/apache2 | |
| $ mkdir ssl ; cd ssl/ | |
| $ openssl genrsa -des3 -passout pass:x -out server.pass.key 8192 | |
| $ openssl rsa -passin pass:x -in server.pass.key -out server.key | |
| $ rm server.pass.key | |
| $ openssl req -new -key server.key -out server.csr | |
| $ openssl x509 -req -days 1024 -in server.csr -signkey server.key -out server.crt | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| ##+ enable mod_ssl, mod_headers, mod_rewrite, mpm already active per default + | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| $ a2enmod ssl | |
| $ a2enmod headers | |
| $ a2enmod rewrite | |
| $ pwd | |
| /etc/apache2/sites-enabled | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| ##+ redirect http(tcp:80) to https(tcp:443) + | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| $ cat 000-default.conf | |
| <VirtualHost *:80> | |
| ServerAdmin webmaster@localhost | |
| DocumentRoot /var/www | |
| ErrorLog ${APACHE_LOG_DIR}/error.log | |
| CustomLog ${APACHE_LOG_DIR}/access.log combined | |
| RewriteEngine On | |
| RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent] | |
| </VirtualHost> | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| ##+ Configure Apache 2.4/ossl1.0.1e for PFS, exclude obsolete ciphers. try to be compatible. + | |
| ##++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |
| $ cat /etc/apache2/sites-enabled/000-ssl.conf | |
| <VirtualHost *:443> | |
| SSLEngine on | |
| SSLCertificateFile /etc/apache2/ssl/server.crt | |
| SSLCertificateKeyFile /etc/apache2/ssl/server.key | |
| SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 | |
| SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH | |
| #old: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH | |
| SSLHonorCipherOrder on | |
| SSLCompression off | |
| # Add six earth month HSTS header for all users... | |
| Header add Strict-Transport-Security "max-age=15768000" | |
| # If you want to protect all subdomains, use the following header | |
| # Strict-Transport-Security: max-age=15768000 ; includeSubDomains | |
| DocumentRoot /var/www/ | |
| ErrorLog /var/log/apache2/https-error.log | |
| # Possible values include: debug, info, notice, warn, error, crit, | |
| # alert, emerg. | |
| LogLevel warn | |
| ServerSignature Off | |
| </VirtualHost> | |
| $ service apache2 start | |
| #EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment