securing your web khon kaen university bureau of ... · basic https configurations ⚪apache httpd...
TRANSCRIPT
![Page 1: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/1.jpg)
Securing your webLet’s Encrypt + StartSSL + HTTP by Default + Get “A” from Qualy’s SSL Server Test
Kitt Tientanopajai, D.Eng.DirectorBureau of Information TechnologyKhon Kaen University
![Page 2: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/2.jpg)
Documents● This slide is available at
https://goo.gl/ePcB6M
● Scripts for this workshop are available athttps://goo.gl/DXw9SY
2
![Page 3: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/3.jpg)
Workshop Requirements
3
● A linux box you want to enable SSL● Root access to your linux box.● A fully-qualified domain name (FQDN) that point to your
linux box.● MS Windows/IIS will also get benefits from this workshop.
![Page 4: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/4.jpg)
Topics● Introduction● Get certificates for free
⚪ StartSSL⚪ Let’s Encrypt
● Basic HTTPS Configurations⚪ Apache HTTPD Server⚪ nginx⚪ Lighttpd
● HTTPS by default● Get “A” from Qualys SSL Test
4
![Page 5: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/5.jpg)
Introduction
5
![Page 6: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/6.jpg)
How HTTPS works
6
Private
PrivatePublic
CertificateServerBrowser
Built-in CA Cert
CA
![Page 7: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/7.jpg)
Getting certificate for free
7
![Page 8: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/8.jpg)
Self-Signed Certificate
8
● You can always create a certificate signed by yourself, or your own CA.
● All browser will not trust your certificates unless ⚪ Install root certificate ⚪ Manually trust
● Not recommended ⚪ You can get ones signed by trusted CA for free.
![Page 9: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/9.jpg)
StartSSL● Provide free certificates (class 1) signed by trusted CA.● Visit https://www.startssl.com
⚪ Sign-up for an account⚪ Domain validation
◾ By e-mail to hostmaster, postmaster, or webmaster
⚪ Web server SSL/TLS certificate
9
![Page 10: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/10.jpg)
● Generate a private key$ openssl genrsa -out privkey.pem 4096
● Generate the CSR$ openssl req -new -nodes -key privkey.pem -out domain.
csr
● Submit the CSR to StartSSL● Download the certificate
10
![Page 11: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/11.jpg)
Basic HTTPS configuration
11
![Page 12: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/12.jpg)
Generic Method
12
● Get a certificate for your domain⚪ Preferrably, signed by trusted CA
● Upload the certificate and the private key to the server.● Permission
⚪ root 644 for certificate file⚪ root 400 for private key file
● Config your HTTP server
![Page 13: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/13.jpg)
Apache HTTP Server<virtualhost *:443>
SSLEngine on
...
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateChainFile /path/to/chain.pem
...
</virtualhost>
13
![Page 14: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/14.jpg)
nginxserver {
listen 443 ssl;
...
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
...
}
14
![Page 15: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/15.jpg)
Lighttpd$SERVER["socket"] == "0.0.0.0:443" {
...
ssl.engine = "enable"
ssl.pemfile = "/path/to/key+cert.pem"
ssl.ca-file= "/path/to/ca+chain.pem"
...
}
15
![Page 16: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/16.jpg)
HTTPS by default
16
![Page 17: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/17.jpg)
Generic Method
17
● Rewrite/redirect HTTP to HTTPS● Preferrably
⚪ All HTTP traffic must be rewrite/redirect to HTTPS⚪ Do this as early as possible⚪ Always use https:// in your HTML codes
![Page 18: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/18.jpg)
Apache HTTP Server<virtualhost *:80>
RewriteEngine on
RewriteCond %{SERVER_NAME} = host.domain.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,QSA,R=permanent]
</virtualhost>
18
![Page 19: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/19.jpg)
nginxserver {
listen 80;
server_name host.domain.tld;
return 301 https://$server_name$request_uri;
}
19
![Page 20: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/20.jpg)
Lighttpd$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
20
![Page 21: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/21.jpg)
Let’s Encrypt
21
![Page 22: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/22.jpg)
Let’s Encrypt● Let’s Encrypt is a certification authority (CA)
⚪ Specifically designed to be a ubiquitous and long-term solution to secure electronic transactions on the web.
● Trusted/supported by modern browsers⚪ Google Chrome⚪ Firefox⚪ Safari⚪ Internet Explorer / Edge
22
![Page 23: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/23.jpg)
● Backed by top organizations⚪ Internet Security Research Group (ISRG)⚪ Electronic Frontier Foundation (EFF)⚪ Internet Society (ISOC)
● IETF accepted Let’s Encrypt protocol (ACME) and published an I-D. ACME will be an open standard when status changed to RFC.
● Visit https://letsencrypt.org
23
![Page 24: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/24.jpg)
● ACME client source code is free (as in free speech)⚪ Automated tools
◾ Domain validation◾ Certificate issuance ◾ Certificate revocation◾ Configure your web servers
● Let’s Encrypt certificates are free (as in free beer)⚪ Rate limits https://letsencrypt.org/docs/rate-limits/
24
![Page 25: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/25.jpg)
ACME Client● Official client: letsencrypt or certbot
⚪ From distro’s repository◾ letsencrypt◾ certbot
⚪ From eff.org # wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto ● certbot will automatically install required packages from
the distro’s repository. ⚪ Let’s run
# ./certbot-auto --help25
![Page 26: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/26.jpg)
ACME Domain Validation
26
![Page 27: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/27.jpg)
2727
![Page 28: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/28.jpg)
ACME Certificate Issuance
28
![Page 29: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/29.jpg)
ACME Certificate Revocation
29
![Page 30: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/30.jpg)
Let’s Encrypt Certificates● All Let’s Encrypt certificates will be expired in 90 days
after issued.⚪ Limit damage from key compromise and mis-issuance.⚪ Encourage automation, which is absolutely essential for ease-of-
use.● Let’s Encrypt allows to renew certificates 30 days before
they expire.
30
![Page 31: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/31.jpg)
Let’s Encrypt with Apache HTTP● Simply run
# ./certbot-auto
● Enter FQDN of your web site● Enter your email
⚪ It can save your life later.● Read the Terms of Service
⚪ Agree or Cancel
31
![Page 32: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/32.jpg)
(cont’d.)● Choose required or optional
⚪ Easy = Optional⚪ Secure = Required - redirect HTTP to HTTPS
● Choose “OK” .. Congrats, it’s done !⚪ No need to understand how X.509 works⚪ No need to manually generate a private key and a CSR ⚪ No need to configure your web server(s)⚪ No need to pay for certificates :)
32
![Page 33: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/33.jpg)
Let’s Encrypt with nginx (and the others)● Right now, plugin for nginx is in experimental, but you can
ask certbot to just issue and install certificate in your linux box:
# ./certbot-auto certonly --standalone
● certbot will run its temporary web server to automate the process instead of using Apache.
33
![Page 34: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/34.jpg)
(cont’d.)● Enter FQDN of your web
⚪ If you are running nginx (or other web servers) you have to stop it when Let’s Encrypt verify your domain.
● Done. Your certificate and key will be issued and saved in
/etc/letsencrypt/live/<hostname>/fullchain.pem
/etc/letsencrypt/live/<hostname>/privkey.pem
34
![Page 35: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/35.jpg)
(cont’d.)● Edit nginx configuration to enable SSL/TLS
⚪ Point ssl_certificate to the fullchain.pem file⚪ Point ssl_certificate_key to privkey.pem file⚪ Start/restart nginx.
35
![Page 36: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/36.jpg)
Certificate Renewal● Simply run
# ./certbot renew
● You can use cron to automate renewal process either /etc/cron.daily or /etc/cron.weekly
36
![Page 37: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/37.jpg)
#!/bin/sh
service nginx stop
/path/to/certbot-auto renew --standalone
LE_STATUS=$?
service nginx start
if [ "$LE_STATUS" != 0 ]; then
echo Automated renewal failed:
exit 1
fi
37
![Page 38: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/38.jpg)
Get “A” from Qualys SSL Labs Test
38
![Page 39: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/39.jpg)
Qualys SSL Lab Test
39
● First, let’s try to see your current rating. ● Visit https://www.ssllabs.com/ssltest/
![Page 40: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/40.jpg)
How to get “A”● Update/upgrade your server● Enable only TLS, and disable all SSL● Use only strong ciphers● Use strong Diffie-Hellman parameter for key exchange● Disable SSL compression● Use Online Certificate Status Protocol (OCSP)● Use HTTP Strict Transport Security (HSTS)
40
![Page 41: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/41.jpg)
Get “A” for ApacheSSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
41
![Page 42: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/42.jpg)
Get “A” for nginxlisten 443 ssl spdy;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /path/to/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
42
![Page 43: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/43.jpg)
Get “A” for Lighttpdssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.honor-cipher-order = "enable"
ssl.dh-file = "/path/to/dhparam.pem"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains"
)
43
![Page 44: Securing your web Khon Kaen University Bureau of ... · Basic HTTPS Configurations ⚪Apache HTTPD Server ⚪nginx ⚪Lighttpd HTTPS by default Get “A” from Qualys SSL Test 4](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9c8e2a5386c0d985257bd/html5/thumbnails/44.jpg)
Q & A
Kitt Tientanopajai, D.Eng.([email protected])DirectorBureau of Information TechnologyKhon Kaen University
44