diff options
| author | Dan Goodliffe <dan@randomdan.homeip.net> | 2019-04-19 13:27:30 +0100 |
|---|---|---|
| committer | Dan Goodliffe <dan@randomdan.homeip.net> | 2019-04-19 13:27:30 +0100 |
| commit | 967c99ee0985aa4f26370029a251b74b1bf60e0c (patch) | |
| tree | 2711ad0ff7cd4092ffb547b3581136404f639635 /etc | |
| parent | Add spamassasin local.cf (diff) | |
| download | config-967c99ee0985aa4f26370029a251b74b1bf60e0c.tar.bz2 config-967c99ee0985aa4f26370029a251b74b1bf60e0c.tar.xz config-967c99ee0985aa4f26370029a251b74b1bf60e0c.zip | |
Qualsys SSLLabs A+ rating
Recommended ciphers, stapling, hsts age, sticky HA sessions
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/apache/httpd.conf | 11 | ||||
| -rw-r--r-- | etc/haproxy.cfg | 6 |
2 files changed, 15 insertions, 2 deletions
diff --git a/etc/apache/httpd.conf b/etc/apache/httpd.conf index 578db68..4884193 100644 --- a/etc/apache/httpd.conf +++ b/etc/apache/httpd.conf @@ -90,6 +90,13 @@ HostnameLookups Off FcgidMaxRequestsPerProcess 100 FcgidMinProcessesPerClass 1 SSLSessionCache shmcb:/run/apache2/ +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 +SSLHonorCipherOrder on +SSLCompression off +SSLSessionTickets off +SSLUseStapling on +SSLStaplingCache shmcb:/tmp/stapling_cache(128000) AddType application/x-httpd-php .php AddType text/xsl .xsl @@ -162,7 +169,7 @@ AddHandler markdown .md SSLCertificateFile /etc/letsencrypt/live/gentoobrowse.randomdan.homeip.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/gentoobrowse.randomdan.homeip.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/gentoobrowse.randomdan.homeip.net/chain.pem - Header always set Strict-Transport-Security "max-age=864000; includeSubDomains" + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost> <VirtualHost *:11443> ServerName git.randomdan.homeip.net @@ -170,5 +177,5 @@ AddHandler markdown .md SSLCertificateFile /etc/letsencrypt/live/git.randomdan.homeip.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/git.randomdan.homeip.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/git.randomdan.homeip.net/chain.pem - Header always set Strict-Transport-Security "max-age=864000; includeSubDomains" + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost> diff --git a/etc/haproxy.cfg b/etc/haproxy.cfg index a14c916..43ef958 100644 --- a/etc/haproxy.cfg +++ b/etc/haproxy.cfg @@ -20,6 +20,10 @@ mailers smtp mailer defiant defiant:25 mailer firebrand firebrand:25 +peers randomlan + peer defiant defiant:1024 + peer firebrand firebrand:1024 + # HTTP listen http description Apache HTTP @@ -33,6 +37,8 @@ listen https description Apache HTTPS bind *:443 mode tcp + stick-table type ip size 20k peers randomlan + stick on src server defiant defiant:11443 send-proxy-v2 observe layer4 check server firebrand firebrand:11443 send-proxy-v2 observe layer4 check |