Forked from rietta/perfect_forward_security_apache.conf
Created
April 8, 2014 03:49
-
-
Save brandondees/10088663 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # SSL Configuration | |
| # | |
| # This is a strong configuration that will get an A+ on the SSL Labs test as of | |
| # April 5, 2014. | |
| # | |
| # To test your SSL setup against the best standards, see: | |
| # https://www.ssllabs.com/ssltest/ | |
| # | |
| SSLEngine on | |
| SSLProtocol all -SSLv2 -SSLv3 | |
| SSLCompression off | |
| SSLHonorCipherOrder on | |
| SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
| # Be sure that /etc/apache2/certificates/ is chmod 700 and the key files are chmod 600, owned by root. | |
| SSLCertificateFile /etc/apache2/certificates/server.crt | |
| SSLCertificateKeyFile /etc/apache2/certificates/server.key | |
| ## | |
| # Never connect to non-SSL for 186 | |
| # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security | |
| # Uncomment to enable SSL only, neccessary to get the A+ grade from SSL Labs' test. | |
| # Header set Strict-Transport-Security "max-age=16070400; includeSubDomains" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment