apache: Just use Mozilla recommended settings
Removed all RedHat default settings and just added Mozilla recommended modern settings.
This commit is contained in:
parent
affeddd2cc
commit
bace8a39b4
2 changed files with 6 additions and 41 deletions
|
|
@ -7,40 +7,10 @@
|
||||||
|
|
||||||
Listen 443
|
Listen 443
|
||||||
|
|
||||||
# Pass Phrase Dialog:
|
# Use Mozilla recommended modern ciphers
|
||||||
# Configure the pass phrase gathering process.
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
|
||||||
# The filtering dialog program (`builtin' is a internal
|
SSLHonorCipherOrder off
|
||||||
# terminal dialog) has to provide the pass phrase on stdout.
|
SSLSessionTickets off
|
||||||
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
|
||||||
|
|
||||||
# Inter-Process Session Cache:
|
SSLUseStapling On
|
||||||
# Configure the SSL Session Cache: First the mechanism
|
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
|
||||||
# to use and second the expiring timeout (in seconds).
|
|
||||||
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
|
||||||
SSLSessionCacheTimeout 300
|
|
||||||
|
|
||||||
# Pseudo Random Number Generator (PRNG):
|
|
||||||
# Configure one or more sources to seed the PRNG of the
|
|
||||||
# SSL library. The seed data should be of good random quality.
|
|
||||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
|
||||||
# is available. This means you then cannot use the /dev/random device
|
|
||||||
# because it would lead to very long connection times (as long as
|
|
||||||
# it requires to make more entropy available). But usually those
|
|
||||||
# platforms additionally provide a /dev/urandom device which doesn't
|
|
||||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
|
||||||
# Manual for more details.
|
|
||||||
SSLRandomSeed startup file:/dev/urandom 256
|
|
||||||
SSLRandomSeed connect builtin
|
|
||||||
#SSLRandomSeed startup file:/dev/random 512
|
|
||||||
#SSLRandomSeed connect file:/dev/random 512
|
|
||||||
#SSLRandomSeed connect file:/dev/urandom 512
|
|
||||||
|
|
||||||
#
|
|
||||||
# Use "SSLCryptoDevice" to enable any supported hardware
|
|
||||||
# accelerators. Use "openssl engine -v" to list supported
|
|
||||||
# engine names. NOTE: If you enable an accelerator and the
|
|
||||||
# server does not start, consult the error logs and ensure
|
|
||||||
# your accelerator is functioning properly.
|
|
||||||
#
|
|
||||||
SSLCryptoDevice builtin
|
|
||||||
#SSLCryptoDevice ubsec
|
|
||||||
|
|
|
||||||
|
|
@ -3,12 +3,7 @@
|
||||||
DocumentRoot /srv/web/{{ inventory_hostname }}
|
DocumentRoot /srv/web/{{ inventory_hostname }}
|
||||||
|
|
||||||
Protocols h2 http/1.1
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
||||||
SSLCipherSuite {{ tls_ciphers }}
|
|
||||||
SSLHonorCipherOrder off
|
|
||||||
SSLSessionTickets off
|
|
||||||
|
|
||||||
# Server certificates
|
# Server certificates
|
||||||
SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key
|
SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue