This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vcl 4.0; | |
import directors; | |
import dynamic; | |
# Probe for sharding node | |
probe health_check_probe { | |
.url = "/health"; | |
.interval = 5s; | |
.timeout = 1s; | |
.window = 5; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# No display of server version on error pages | |
ServerSignature Off | |
# Only return Apache in server header | |
ServerTokens Prod |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Force HTTPs connexion max age to 180 days | |
## Strict Transport Security (HSTS): Yes | |
Header set Strict-Transport-Security "max-age=15552001; includeSubdomains; preload" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Protection of local data | |
<Location /> | |
AllowOverride None | |
Options None | |
</Location> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Server leaks inodes via ETags: No | |
FileETag None | |
Header unset ETag | |
# Anti-clickjacking X-Frame-Options header | |
<filesMatch "\.(php)$"> | |
Header always append X-Frame-Options DENY | |
</filesMatch> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# POODLE protection | |
## Remove SSLv3 and SSLv2 | |
SSLProtocol all -SSLv3 -SSLv2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Best ratio Security/Accessibility | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED" | |
# Secure | |
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH AES256+EDH" | |
# Global | |
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM AES256+EECDH ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 AES256+EDH ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA DES-CBC3-SHA HIGH !aNULL !eNULL !EXPORT !DES !MD5 !PSK !RC4" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# BEAST protection | |
## Remove TLSv1.0 | |
SSLProtocol all -TLSv1 -SSLv3 -SSLv2 | |
# BEAST protection, NO RC4 protection | |
## Allow TLSv1.0 and force RC4 | |
SSLProtocol all -SSLv3 -SSLv2 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !SEED RC4" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# LOGJAM protection | |
## All TLS accepted, EECDH/EDH key exchange ciphers, force cipher order and use of 4096-bits group DH | |
SSLProtocol all -SSLv3 -SSLv2 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED" | |
SSLHonorCipherOrder on | |
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# CRIME protection | |
## Disable SSL compression | |
SSLCompression off |
OlderNewer