Différences

Ci-dessous, les différences entre deux révisions de la page.

--- guide:installation_serveur_2020 [2020/09/12 20:56] – alban
+++ guide:installation_serveur_2020 [2022/08/11 14:39] (Version actuelle) – [Backup duplicity] alban
@@ Ligne 7: / Ligne 7: @@
 ====== Installation de wallabag ======
-<note important>Au 08/2020 wallabag n'est pas compatible PHP 7.4 (je crois sur wallabag 2.3 et il faut attendre la 2.4.</note>
 Un petit bug qui traine : [[https://github.com/wallabag/wallabag/issues/2768|https://github.com/wallabag/wallabag/issues/2768]]
@@ Ligne 79: / Ligne 77: @@
   * [[https://itigloo.com/2017/02/21/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-apache/|https://itigloo.com/2017/02/21/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-apache/]]
   * [[https://security.stackexchange.com/questions/166484/how-to-disable-cbc-mode-ciphers|https://security.stackexchange.com/questions/166484/how-to-disable-cbc-mode-ciphers]]
+  * [[https://wiki.csnu.org/index.php/S%C3%A9curisation_SSL_/_TLS_de_apache|https://wiki.csnu.org/index.php/S%C3%A9curisation_SSL_/_TLS_de_apache]]
 Pas mal mas de weak et une compatibilité générale pas trop moche :
@@ Ligne 92: / Ligne 91: @@
 Le fichier complet (avec quelques specificités moches dues au template ispconfig):
 <file>
-		<IfModule mod_ssl.c>
-		SSLEngine on
-		SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-		SSLOpenSSLConfCmd ECDHParameters secp384r1
-		SSLOpenSSLConfCmd Curves secp521r1:secp384r1
-		SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
-		SSLCipherSuite      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-		SSLHonorCipherOrder off
-		SSLCompression      off
-		SSLSessionTickets   off
-		SSLCertificateFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.crt
-		SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.key
-		SSLUseStapling on
-		SSLStaplingResponderTimeout 5
-		SSLStaplingReturnResponderErrors off
-		# Enhance header configuration
+        <IfModule mod_ssl.c>
-		<IfModule mod_headers.c>
+        SSLEngine on
-		Header always set Content-Security-Policy "upgrade-insecure-requests;"
+        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-		Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        SSLOpenSSLConfCmd ECDHParameters secp384r1
-		# Rewrite any session cookies to make them more secure
+        SSLOpenSSLConfCmd Curves secp521r1:secp384r1
-		# Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+        SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
-		Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+        SSLCipherSuite      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-		</IfModule>
+        SSLHonorCipherOrder off
+        SSLCompression      off
+        SSLSessionTickets   off
+        SSLCertificateFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.crt
+        SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.key
+        SSLUseStapling on
+        SSLStaplingResponderTimeout 5
+        SSLStaplingReturnResponderErrors off
+        # Enhance header configuration
+        <IfModule mod_headers.c>
+        Header always set Content-Security-Policy "upgrade-insecure-requests;"
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Rewrite any session cookies to make them more secure
+        # Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
+        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+        </IfModule>
 </file>
@@ Ligne 135: / Ligne 134: @@
         SSLStaplingCache shmcb:/var/run/ocsp(128000)
 </IfModule>
 </file>
-Intéressant a voir en spécifique ISPCONFIG : https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368
+Intéressant a voir en spécifique ISPCONFIG : [[https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368|https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368]]
+Pour permettre l'utilisation de certificats sur plusieurs domaines avec nameservers
+<code>
+SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1
+</code>
+<note important>La partie **X25519**  est particulièrement importante sinon les autres sous domaines ne fonctionneront pas.</note>
+======= Post configuration =======
+===== Changer la timezone =====
+<code>
+dpkg-reconfigure tzdata
+</code>
+====== Backup duplicity ======
+<code>
+# backup on dedibackup
+sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity --full-if-older-than 1M /var/www ftp://sd-154040@dedibackup-dc3.online.net/
+# remove older than 6M
+sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity remove-older-than 6M ftp://sd-154040@dedibackup-dc3.online.net/
+# Healthcheck.io silent version (no stdout/stderr output unless curl hits an error):
+curl -fsS -m 10 --retry 5 -o /dev/null https://hc-ping.com/986ba863-a707-4b0b-bb79-35a42e4b9f72
+</code>