]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - config/httpd/vhosts.d/ipfire-interface-ssl.conf
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
disable SSL compression and session tickets in Apache
[ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface-ssl.conf
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index e9ad26a9661b243e37a618620535402b9a19bfd7..dacf6a005f87f0c250bb388d05796011de7ed062 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,10 +9,14 @@
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
     SSLHonorCipherOrder on
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
+    SSLCertificateFile /etc/httpd/server-ecdsa.crt
+    SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
@@ -23,7 +27,10 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +39,10 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
         <Files chpasswd.cgi>
             Require all granted
         </Files>
@@ -74,6 +84,9 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
     </Directory>
 </VirtualHost>
IPFire 2.x development tree