Compilenix's Blog - My "secure" Apache (2.4) config snippet

RSS Feed | Find Stuff

My "secure" Apache (2.4) config snippet.


<VirtualHost *:80>
	DocumentRoot /var/www/
	ServerName example.com
	
	ErrorLog /var/log/apache/error_example.com.log

	Header always set Strict-Transport-Security "max-age=15552000"
	Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
	
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
	Header always set X-Frame-Options "SAMEORIGIN"
	# https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	#Header always set X-Content-Type-Options "nosniff"
</VirtualHost>

<IfModule mod_ssl.c>
	SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
	<VirtualHost *:443>
		DocumentRoot /var/www/
		ServerName example.com
	
		ErrorLog /var/log/apache/error_example.com.log
	
		SSLEngine on
		SSLCertificateFile /etc/ssl/apache2/example.com.crt
		SSLCertificateKeyFile /etc/ssl/apache2/example.com.key
	
		SSLProtocol all -SSLv3
		SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
		SSLHonorCipherOrder on
		SSLCompression off
		SSLUseStapling on
		SSLCACertificateFile /etc/ssl/apache2/example.com_CA.crt
		SSLStaplingResponderTimeout 5
		SSLStaplingReturnResponderErrors off
	
		Header always set Strict-Transport-Security "max-age=15552000"
		Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
	
		# create using: openssl x509 -noout -in example.com_CA.crt -pubkey | openssl asn1parse -noout -inform pem -out tmp.key; openssl dgst -sha256 -binary tmp.key | openssl enc -base64
		# example.com_CA.crt
		# reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=
		# example.com_CA.crt
		# m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=
		# Header always set Public-Key-Pins-Report-Only "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
		# Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"

		# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
		Header always set X-Frame-Options "SAMEORIGIN"
		# https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
		#Header always set X-Content-Type-Options "nosniff"
	</VirtualHost>
</IfModule>