From b5c93a893a07f20f5322a95a64073f167d9dbb9a Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 10 Jun 2010 03:52:26 +0200 Subject: adjust sslciphersuite to new recommendations --- files/include.d/CentOS/ssl_defaults.inc | 3 ++- files/include.d/Debian/ssl_defaults.inc | 1 + files/include.d/OpenBSD/ssl_defaults.inc | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'files/include.d') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 5cc663f..04d3077 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -16,7 +16,8 @@ SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH # Server Certificate: diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index e69de29..3889cff 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -0,0 +1 @@ +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc index e7d2c36..91b14e0 100644 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ b/files/include.d/OpenBSD/ssl_defaults.inc @@ -1,4 +1,5 @@ SSLEngine on -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key -- cgit v1.2.3 From 3223bb26521cd7aed97c3d5bd7df73269991639d Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 12 Dec 2010 18:51:48 +0100 Subject: update to latest secure ssl directives --- files/include.d/CentOS/ssl_defaults.inc | 6 ++++-- files/include.d/Debian/ssl_defaults.inc | 4 +++- files/include.d/OpenBSD/ssl_defaults.inc | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) (limited to 'files/include.d') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 04d3077..b57cbb9 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -11,14 +11,16 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +#SSLProtocol all -SSLv2 +SSLProtocol -all +SSLv3 +TLSv1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 3889cff..949fe58 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -1 +1,3 @@ -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLProtocol -all +SSLv3 +TLSv1 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc index 91b14e0..67cf36f 100644 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ b/files/include.d/OpenBSD/ssl_defaults.inc @@ -1,5 +1,5 @@ SSLEngine on #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key -- cgit v1.2.3 From a371c169c45dbd14ad3c465f8b7314b14c4ed8cb Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 22 Feb 2011 22:59:51 +0100 Subject: add STS header in default ssl config --- files/include.d/CentOS/ssl_defaults.inc | 3 +++ files/include.d/Debian/ssl_defaults.inc | 3 +++ 2 files changed, 6 insertions(+) (limited to 'files/include.d') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index b57cbb9..c1ef0be 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -142,3 +142,6 @@ SetEnvIf User-Agent ".*MSIE.*" \ # compact non-error SSL logfile on a virtual host basis. CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 949fe58..d1ec68d 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -1,3 +1,6 @@ SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLHonorCipherOrder on + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" -- cgit v1.2.3 From 5a93a0363e9f967550d4a4267113e2b0714c06c2 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 18 Mar 2011 10:23:04 +0100 Subject: we don't need these logfiles in the include --- files/include.d/CentOS/ssl_defaults.inc | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'files/include.d') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index c1ef0be..7735ebb 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -1,9 +1,3 @@ -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on @@ -137,11 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - # set STS Header Header add Strict-Transport-Security "max-age=15768000" -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- files/include.d/silverstripe.inc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 files/include.d/silverstripe.inc (limited to 'files/include.d') diff --git a/files/include.d/silverstripe.inc b/files/include.d/silverstripe.inc new file mode 100644 index 0000000..40c44e4 --- /dev/null +++ b/files/include.d/silverstripe.inc @@ -0,0 +1,17 @@ +# silverstripe .htaccess + + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + + + + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + -- cgit v1.2.3