Vhost configuration


#1

I’m setting my multi domain vds vhost.
(apache 2.2, open ssl1.0f)
and I’m bit lost on some parametre

  • SSLProtocol
  • SSLCipherSuite
  • SSLHonorCipherOrder
  • SSLCompression
  • SSLSessionTickets
  • SSLCACertificatePath
  • SSLCACertificateFile
  • SSLCARevocationPath
  • SSLCARevocationFile
  • SSLVerifyClient
  • SSLVerifyDepth

does any one could help me?

I check on https://mozilla.github.io/server-side-tls/ssl-config-generator/ But I’m not sure

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

#SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt"
#SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt"

#SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl"
#SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle.crl"

#SSLVerifyClient require
#SSLVerifyDepth  10

Detail configuration


  • ubuntu 14.04
  • apache 2.2 compiled
  • openssl1.0f
  • 7 domains / 7 lets encrypt certificate
  • 1 - webroot
  • 1 - domain

#2

That’s a very broad question. I myself am inclined to say “no”, because I’m not seeing a lot of effort from your side to get to the bottom of this. Also, in combination with your other thread, I’m not sure if you’re the right person to set up these kinds of websites at the moment, because of lack of knowledge. I would suggest first you read a lot of information about how TLS (SSL is the old name for the current TLS standard(s)) actually works before we can even start to help you. You need to UNDERSTAND what you’re doing. We can hold your hand and tell you what to do (i.e.: give you a fish, so you can eat for one day), but it’s far more wiser for you to educate yourself, perhaps with little aid from sites like this community (i.e.: learn how to fish, so you can eat for the rest of your life).


#3

I do not use Apache anymore but this is more how your conf file should look like for a vhost. As @Osiris said you must understand what you are doing and why, copy and paste learning can get you into trouble if you are not sure what you are copying and pasting and what it does. But here’s a sample config from when I last used apache some 9 months ago.

<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/mysite/
ServerName mysite.com
ServerAlias www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
CustomLog ${APACHE_LOG_DIR}/mysite-access.log
<Directory "/var/www/mysite/">
Options +Includes
Options +FollowSymLinks -Indexes
....... OTHER STUFF HERE
</Directory>
SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName mysite.com
ServerAlias www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
CustomLog ${APACHE_LOG_DIR}/mysite-access.log
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
        RewriteRule (.*) https://mysite.com%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

#4

As the others have said, it’s important to understand what you’re doing, as the wrong settings can prevent your server from functioning until fixed or leave you with a very insecure configuration. If you’re unsure, always keep a backup of the contents for the files you’re editing.

That said, some of the settings are okay to copy and paste if you use a good source. In general, you don’t need to worry about the revocation, verify and a few other configuration parameters as they apply to client-supplied certificates or other specialized configurations.

The config generator you linked is a good source for many of the settings, just make sure you put the right versions in the form so you’re getting settings that will work with your configuration. Unless you know viewers are going to use very old browsers or strictly new ones, the “intermediate” settings are your best option.


#5

Sorry If i give you the impression i wasn’t looking to understand and not trying to do by myself.

In fact That’s what i was coming for, understand the parameter

So I will tell you what i understood and hope you can correct if I’m wrong

SSLProtocol
define protocol
–> SSLProtocol all -SSLv2 -SSLv3 -TLSv1

SSLCipherSuite
if I understood this is defined by my openssl version, actually 1.0.1f
so
–> SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder
must follow server order
–> on

SSLCompression
–> off
!!! Enabling compression causes security (CRIME attack).

SSLSessionTickets
–>off
Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.

#############################################
To be removed, as those parametre are used when we know clients as on intranet
SSLCACertificatePath SSLCACertificateFile SSLCARevocationPath SSLCARevocationFile SSLVerifyClient SSLVerifyDepth


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.