Request: Recommended Server Configurations


#1

Reposting this as it was never addressed and now locked:

It would be great if the .org, docs, or this site kept an (updated) recommended configuration file for various web servers (e.g. which protocols/etc should be enabled). This could probably mirror what certbot is automating, but surfacing it in a way that people using ‘certonly’ or those interested in the configuration specifics can reference.


#2

If certbot already does this, interested parties should just look at the source or documentation there.

Tracking identical data in multiple places rarely works long-term.


#3

That requires someone to have a working knowledge of Python – which certbot is written in and not guaranteed to the target audience of end-users.

A large number of posts in this forum, and on StackOverflow, have to do with people asking for information like this.

The information could be centrally tracked/managed (within certbot, elsewhere?) and exposed in a readable format to end-users as part of build scripts.


#4

Configuration at this level is often specialized to the environment. I don’t see that Let’s Encrypt could provide a solid job at this type of thing.

I personally recommend looking at https://mozilla.github.io/server-side-tls/ssl-config-generator/ if you want a good starting point for best-practice configuration of encryption ciphers, protocols, etc.

If you’re using IIS, I personally recommend using https://www.nartac.com/Products/IISCrypto/ for configuration there.


#5

letsencrypt could do a stellar job at this, as they already do. certbot does this for the automatic installs (via apache/nginx).

i’m talking about printing what the plugin does (ie recommended) into the docs.


#6

Based on the code, it looks like they’re using the “intermediate” configuration from the Mozilla config generator for Apache HTTPd.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.