Différences

Ci-dessous, les différences entre deux révisions de la page.

--- guide:installation_serveur_2020 [2020/09/12 14:11] – alban
+++ guide:installation_serveur_2020 [2022/08/11 14:39] (Version actuelle) – [Backup duplicity] alban
@@ Ligne 7: / Ligne 7: @@
 ====== Installation de wallabag ======
-<note important>Au 08/2020 wallabag n'est pas compatible PHP 7.4 (je crois sur wallabag 2.3 et il faut attendre la 2.4.</note>
 Un petit bug qui traine : [[https://github.com/wallabag/wallabag/issues/2768|https://github.com/wallabag/wallabag/issues/2768]]
@@ Ligne 51: / Ligne 49: @@
 Header set X-Frame-Options: "sameorigin"
-# HSTS
-Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 </code>
@@ Ligne 64: / Ligne 59: @@
 <code>
-''openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096''
+openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
 </code>
@@ Ligne 71: / Ligne 66: @@
 <code>
-''cat /etc/letsencrypt/live/alban.montaigu.io/cert.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
+cat /etc/letsencrypt/live/alban.montaigu.io/cert.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
-''
 </code>
-Aussi a voir ca : [[https://community.letsencrypt.org/t/how-to-get-100-on-ssllabs-com-with-nginx/114196|https://community.letsencrypt.org/t/how-to-get-100-on-ssllabs-com-with-nginx/114196]]
+Aussi a voir ca :
-[[https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033|https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033]]
+  * [[https://community.letsencrypt.org/t/how-to-get-100-on-ssllabs-com-with-nginx/114196|https://community.letsencrypt.org/t/how-to-get-100-on-ssllabs-com-with-nginx/114196]]
+  * [[https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033|https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033]]
+  * [[https://serverfault.com/questions/877774/trying-to-get-100-in-ssllabs-com-key-exchange/877784|https://serverfault.com/questions/877774/trying-to-get-100-in-ssllabs-com-key-exchange/877784]]
+  * [[https://itigloo.com/2017/02/21/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-apache/|https://itigloo.com/2017/02/21/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-apache/]]
+  * [[https://security.stackexchange.com/questions/166484/how-to-disable-cbc-mode-ciphers|https://security.stackexchange.com/questions/166484/how-to-disable-cbc-mode-ciphers]]
+  * [[https://wiki.csnu.org/index.php/S%C3%A9curisation_SSL_/_TLS_de_apache|https://wiki.csnu.org/index.php/S%C3%A9curisation_SSL_/_TLS_de_apache]]
-https://serverfault.com/questions/877774/trying-to-get-100-in-ssllabs-com-key-exchange/877784
+Pas mal mas de weak et une compatibilité générale pas trop moche :
+<code>
+SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384
+# HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+</code>
+La référence : [[https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6|https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6]]
+Le fichier complet (avec quelques specificités moches dues au template ispconfig):
+<file>
+        <IfModule mod_ssl.c>
+        SSLEngine on
+        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+        SSLOpenSSLConfCmd ECDHParameters secp384r1
+        SSLOpenSSLConfCmd Curves secp521r1:secp384r1
+        SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
+        SSLCipherSuite      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        SSLHonorCipherOrder off
+        SSLCompression      off
+        SSLSessionTickets   off
+        SSLCertificateFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.crt
+        SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.key
+        SSLUseStapling on
+        SSLStaplingResponderTimeout 5
+        SSLStaplingReturnResponderErrors off
+        # Enhance header configuration
+        <IfModule mod_headers.c>
+        Header always set Content-Security-Policy "upgrade-insecure-requests;"
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Rewrite any session cookies to make them more secure
+        # Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+        </IfModule>
+</file>
+<file>
+<IfModule mod_ssl.c>
+        SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</file>
+Intéressant a voir en spécifique ISPCONFIG : [[https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368|https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368]]
+Pour permettre l'utilisation de certificats sur plusieurs domaines avec nameservers
+<code>
+SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1
+</code>
+<note important>La partie **X25519**  est particulièrement importante sinon les autres sous domaines ne fonctionneront pas.</note>
+======= Post configuration =======
+===== Changer la timezone =====
+<code>
+dpkg-reconfigure tzdata
+</code>
+====== Backup duplicity ======
+<code>
+# backup on dedibackup
+sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity --full-if-older-than 1M /var/www ftp://sd-154040@dedibackup-dc3.online.net/
+# remove older than 6M
+sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity remove-older-than 6M ftp://sd-154040@dedibackup-dc3.online.net/
+# Healthcheck.io silent version (no stdout/stderr output unless curl hits an error):
+curl -fsS -m 10 --retry 5 -o /dev/null https://hc-ping.com/986ba863-a707-4b0b-bb79-35a42e4b9f72
+</code>