Re: Securing apache
On 4/21/2014 1:25 PM, Jochen Spieker <email@example.com> wrote:
I use these settings and receive good results:
SSLProtocol all -SSLv2 -SSLv3
One thing that has always confused me about apache config is where to
put things like this - and esp[ecially in debian (I'm still learning my
Tha apache docs say to put this in httpd.conf - but debian doesn't use
it, and apache2.conf doesn't show anything like these parameters either?
Do I need to put this in both:
or just in default-ssl?
Thanks again, and sorry for the noob questions...
AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Do not use it if some parts of your site should be accessible without
This is an extension to HTTP developed by Google. Some of its ideas will
find their way into the next version of HTTP (2.0). You don't strictly
need it and it does not improve security except by making SSL mandatory.