Nicolas Béguier nbeguier

## default.vcl
vcl 4.0;
import directors;
import dynamic;

# Probe for sharding node
probe health_check_probe {
  .url = "/health";
  .interval = 5s;
  .timeout = 1s;
  .window = 5;

## apache2.conf
# No display of server version on error pages
ServerSignature Off

# Only return Apache in server header
ServerTokens Prod

## apache2.conf
# Force HTTPs connexion max age to 180 days
## Strict Transport Security (HSTS): Yes
Header set Strict-Transport-Security "max-age=15552001; includeSubdomains; preload"

## apache2.conf
# Protection of local data
<Location />
  AllowOverride None
  Options None
</Location>

## apache2.conf
# Server leaks inodes via ETags: No
FileETag None
Header unset ETag
# Anti-clickjacking X-Frame-Options header
<filesMatch "\.(php)$">
 Header always append X-Frame-Options DENY
</filesMatch>

## apache2.conf
# POODLE protection
## Remove SSLv3 and SSLv2
SSLProtocol all -SSLv3 -SSLv2

## apache2.conf
# Best ratio Security/Accessibility
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED"

# Secure
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH AES256+EDH"

# Global
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 AES256+EDH ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA DES-CBC3-SHA HIGH !aNULL !eNULL !EXPORT !DES !MD5 !PSK !RC4"

## apache2.conf
# BEAST protection
## Remove TLSv1.0
SSLProtocol all -TLSv1 -SSLv3 -SSLv2


# BEAST protection, NO RC4 protection
## Allow TLSv1.0 and force RC4
SSLProtocol all -SSLv3 -SSLv2
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !SEED RC4"

## apache2.conf
# LOGJAM protection
## All TLS accepted, EECDH/EDH key exchange ciphers, force cipher order and use of 4096-bits group DH
SSLProtocol all -SSLv3 -SSLv2
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED"
SSLHonorCipherOrder on
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

## apache2.conf
# CRIME protection
## Disable SSL compression
SSLCompression off
	vcl 4.0;
	import directors;
	import dynamic;

	# Probe for sharding node
	probe health_check_probe {
	.url = "/health";
	.interval = 5s;
	.timeout = 1s;
	.window = 5;
	# No display of server version on error pages
	ServerSignature Off

	# Only return Apache in server header
	ServerTokens Prod
	# Force HTTPs connexion max age to 180 days
	## Strict Transport Security (HSTS): Yes
	Header set Strict-Transport-Security "max-age=15552001; includeSubdomains; preload"
	# Protection of local data
	<Location />
	AllowOverride None
	Options None
	</Location>
	# Server leaks inodes via ETags: No
	FileETag None
	Header unset ETag
	# Anti-clickjacking X-Frame-Options header
	<filesMatch "\.(php)$">
	Header always append X-Frame-Options DENY
	</filesMatch>
	# POODLE protection
	## Remove SSLv3 and SSLv2
	SSLProtocol all -SSLv3 -SSLv2
	# Best ratio Security/Accessibility
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED"

	# Secure
	SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH AES256+EDH"

	# Global
	SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 AES256+EDH ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA DES-CBC3-SHA HIGH !aNULL !eNULL !EXPORT !DES !MD5 !PSK !RC4"
	# BEAST protection
	## Remove TLSv1.0
	SSLProtocol all -TLSv1 -SSLv3 -SSLv2


	# BEAST protection, NO RC4 protection
	## Allow TLSv1.0 and force RC4
	SSLProtocol all -SSLv3 -SSLv2
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !SEED RC4"
	# LOGJAM protection
	## All TLS accepted, EECDH/EDH key exchange ciphers, force cipher order and use of 4096-bits group DH
	SSLProtocol all -SSLv3 -SSLv2
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED"
	SSLHonorCipherOrder on
	SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
	# CRIME protection
	## Disable SSL compression
	SSLCompression off