How to configure HTTPS on Apache/2.4.41 (FreeBSD) on A+?

A

Anton Kokarev2019-09-08 23:04:48

Apache HTTP Server

Anton Kokarev, 2019-09-08 23:04:48

I am looking for a working config for the Apache24 web server, which gives an A + result according to Qualys tests.

On board:

- ОС FreeBSD 12.0 Release с последними обновлениями на 8 сентября 2019;
- Apache/2.4.41 (установлен из портов утилитой pkg) с модулем OpenSSL/1.1.1a
- Модули mod-php73-7.3.8, python27-2.7.16_1, python36-3.6.9, wget-1.20.3, curl-7.65.1, mysql80-8.0.16 и прочее - последних версий;

It is desirable that it works in conjunction with Let's Encrypt and the certbot utility.
Preferably with support for virtual hosts.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Andrey Barbolin, 2019-09-09
@dronmaxman

Here is my config showing A+. I also have mail auto-configuration, so autodiscover has been added.
Debian v9
apache2 v2.4.25
PHP v7.3.5

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName domain.ua
        ServerAlias www.domain.ua
        DocumentRoot /var/www/domain/domain.ua
        ErrorLog /var/www/log/apache2/domain_ua_error.log
        CustomLog /var/www/log/apache2/domain_ua_access.log combined
        RewriteRule ^(.*)/autodiscover/autodiscover.xml https://mail.domain.ua/autodiscover/autodiscover.xml
        Redirect /Autodiscover/Autodiscover.xml https://mail.domain.ua/autodiscover/autodiscover.xml
    Redirect /autodiscover/autodiscover.xml https://mail.domain.ua/autodiscover/autodiscover.xml
    Redirect /AutoDiscover/AutoDiscover.xml https://mail.domain.ua/autodiscover/autodiscover.xml
        <Directory /var/www/domain/domain.ua>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>
 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/wildcard-dv-domain-ua.cer
        SSLCertificateKeyFile /etc/ssl/private/wildcard-dv-domain-ua-private.key
        SSLCACertificateFile    /etc/ssl/certs/star_domain_ua.ca-bundle
        SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
        SSLHonorCipherOrder on
        SSLHonorCipherOrder on
        SSLStrictSNIVHostCheck Off
        SSLCompression off
        SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

     Alias /doc/ "/usr/share/doc/"
     <Directory "/usr/share/doc/">
         Options Indexes MultiViews FollowSymLinks
         AllowOverride All
         Order deny,allow
         Deny from all
         Allow from 127.0.0.0/255.0.0.0 ::1/128
     </Directory>
 </VirtualHost>
</IfModule>
~

X

xmoonlight, 2019-09-08
@xmoonlight

Let's think "soberly": what did you do to meet the requirements?

A

athacker, 2019-09-09
@athacker

Qualys, on the other hand, gives a report where all the jambs indicate that do not allow to increase the test result. Read, yes correct, what problems?

V

Viktor Taran, 2019-09-09
@shambler81

ssl_dhparam
do not forget to put the issue resolved;)