[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing apache

On 4/21/2014 1:25 PM, Jochen Spieker <ml@well-adjusted.de> wrote:
I use these settings and receive good results:

SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3

Thanks Jochen,

One thing that has always confused me about apache config is where to put things like this - and esp[ecially in debian (I'm still learning my way around)...

Tha apache docs say to put this in httpd.conf - but debian doesn't use it, and apache2.conf doesn't show anything like these parameters either?

Do I need to put this in both:


or just in default-ssl?

Thanks again, and sorry for the noob questions...

AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
prefer PFS.

Enable 'Strict-Transport-Security'

I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Do not use it if some parts of your site should be accessible without

Enable 'SPDY'

This is an extension to HTTP developed by Google. Some of its ideas will
find their way into the next version of HTTP (2.0). You don't strictly
need it and it does not improve security except by making SSL mandatory.


Reply to: