Created
September 11, 2020 08:11
-
-
Save subfission/050864c22c3ea6043986bfb1be1237f3 to your computer and use it in GitHub Desktop.
Example OSCP Stapling for Apache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 2020-09-11 | |
| # Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1d, intermediate configuration | |
| # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 | |
| # this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers | |
| <VirtualHost *:80> | |
| RewriteEngine On | |
| RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| SSLEngine on | |
| # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams | |
| SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams | |
| SSLCertificateKeyFile /path/to/private_key | |
| # enable HTTP/2, if available | |
| Protocols h2 http/1.1 | |
| # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) | |
| Header always set Strict-Transport-Security "max-age=63072000" | |
| </VirtualHost> | |
| # intermediate configuration | |
| SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
| SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| SSLHonorCipherOrder off | |
| SSLSessionTickets off | |
| SSLUseStapling On | |
| SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment