Last active
January 2, 2024 15:06
-
-
Save nbeguier/b0dd442aa77433b0b4163d08f00c0edb to your computer and use it in GitHub Desktop.
Apache : Secure configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hide server version on error pages | |
ServerSignature Off | |
# Only return Apache in server header | |
ServerTokens Prod | |
<VirtualHost *:443> | |
ServerName mywebserver.domain.net | |
DocumentRoot /var/www/web | |
SSLEngine on | |
SSLCertificateFile /etc/apache2/ssl/server.pem | |
SSLCertificateKeyFile /etc/apache2/ssl/server.key | |
SSLCACertificateFile /etc/apache2/ssl/ca.pem | |
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
# Compilation of the top cipher suites 2024 | |
# https://ssl-config.mozilla.org/#server=apache | |
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | |
# Perfect Forward Secrecy(PFS) is frequently compromised without this | |
SSLHonorCipherOrder on | |
SSLSessionTickets off | |
# Enable SSL session caching for improved performance | |
SSLSessionCacheTimeout 300 | |
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" | |
# OCSP stapling | |
SSLUseStapling on | |
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" | |
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" | |
# Security headers | |
## X-Content-Type-Options | |
Header set X-Content-Type-Options "nosniff" | |
## Content-Security-Policy | |
Header set Content-Security-Policy "frame-ancestors 'self';" | |
## Strict Transport Security (HSTS) | |
Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" | |
# Log | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment