nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

apache: Setup Mozilla recommended configuration

Browse Source 
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS

- Disable ciphers that are weak or without forward secrecy.

- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.

- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets

- Send OCSP responses to the client and reduce their round trips.

- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.

Tests:

- FreedomBox interface is reachable with the changes.

- ssllabs.com gives an A+ rating on a server with these changes.

  - All ciphers are shown as secure.

  - Forward Secrecy rating is ROBUST.

  - OCSP stapling shows as enabled.

  - Client support seems to match the expected after dropping <= TLS1.1.

  - Session resumption with tickets shows as disabled.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2021-09-02 16:45:53 -07:00 committed by James Valleroy
parent 857ab0afe1
commit ae541ca752
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
actions/apache
View File

@ -129,6 +129,10 @@ def subcommand_setup(arguments):
# Enable HTTP/2 protocol # Enable HTTP/2 protocol
webserver.enable('http2', kind='module') webserver.enable('http2', kind='module')
# Enable shared object cache needed for OSCP stapling. Needed by
# mod_ssl.
webserver.enable('socache_shmcb', kind='module')
# switch to mod_ssl from mod_gnutls # switch to mod_ssl from mod_gnutls
webserver.disable('gnutls', kind='module') webserver.disable('gnutls', kind='module')
webserver.enable('ssl', kind='module') webserver.enable('ssl', kind='module')

33
data/etc/apache2/conf-available/freedombox.conf
View File

@ -1,3 +1,36 @@
## SPDX-License-Identifier: AGPL-3.0-or-later
##
## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
##
## Apache configuration managed by FreedomBox. If customization is needed,
## create a new configuration file with higher priority and override directives.
##
##
## TLS configuration as recommended by Mozilla's SSL Configuration Generator
## with 'Intermediate' configuration. See:
## https://wiki.mozilla.org/Security/Server_Side_TLS
##
<IfModule mod_ssl.c>
# Disable ciphers that are weak or without forward secrecy.
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# Allow client to choose ciphers as they will know best if they have support
# for hardware-accelerated AES.
SSLHonorCipherOrder off
# TLS session tickets (RFC 5077) require restarting web server with an
# appropriate frequency. See:
# https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
SSLSessionTickets off
# Send OCSP responses to the client and reduce their round trips.
<IfModule mod_socache_shmcb.c>
SSLUseStapling On
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
</IfModule>
</IfModule>
## ##
## Enable HSTS, even for subdomains. ## Enable HSTS, even for subdomains.
## ##