Letsencrypt

From Q
Revision as of 11:32, 23 May 2017 by Tgurr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

/etc/apache2/vhosts.d/01_default_ssl_namebased_vhost.conf

<IfDefine SSL>
<IfModule ssl_module>
# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
Listen 443

# OCSP stapling
SSLStaplingCache shmcb:/run/ocsp(128000)

</IfModule>
</IfDefine>

/etc/apache2/vhosts.d/ssl_security.include

# Forward Secrecy
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

# OCSP stapling
SSLUseStapling on

# Strict Transport Security (HSTS)
# 180 days
Header always set Strict-Transport-Security "max-age=15552000"

# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src * data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src 'self' data: https://fonts.gstatic.com; child-src 'self' https://www.youtube.com"

# X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

# X-XSS-Protection
Header always set X-Xss-Protection "1; mode=block"

# X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

# Referrer-Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Expect-CT (30 days)
Header always set Expect-CT "enforce; max-age=2592000"

# Let's Encrypt (webroot)
<IfModule mod_headers.c>
  <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "application/jose+json"
  </LocationMatch>
</IfModule>

/etc/apache2/vhosts.d/subdomain.example.com

[...]
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/subdomain.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.example.com/privkey.pem

    # SSL security configuration
    Include /etc/apache2/vhosts.d/ssl_security.include

</VirtualHost>

cronjob (first day every month at 12:00AM)

/etc/cron.d/certbot

MAILTO="mail@example.com"
0 0 1 * * root certbot certonly --email "mail.example.com" --webroot -w /var/www/subdomain.example.com/htdocs -d subdomain.example.com --renew-by-default --noninteractive
0 1 1 * * root /etc/init.d/apache2 reload
0 1 1 * * root /etc/init.d/murmur restart