Liste des plugins:
Un petit bug qui traine : https://github.com/wallabag/wallabag/issues/2768
Et la solution
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Hardening de base : https://wiki.debian.org/Apache/Hardening
Evaluation de base : https://www.ssllabs.com/ssltest/analyze.html?d=alban.montaigu.io&s=163.172.180.167
La partie hardening TLS : https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off
Activation DNS CAA : https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum
Autre tuto intéressant : https://community.bitnami.com/t/howto-a-on-all-tests-at-ssllabs-com-with-apache-2-4-xx/67885 mais a priori trop violent pour les vieux matériels
Activation hsts aussi : https://www.justegeek.fr/activer-len-tete-hsts-sur-apache-pour-proteger-son-site-web/?cn-reloaded=1
nano /etc/apache2/conf-enabled/security.com ServerTokens Prod ServerSignature Off Header set X-Content-Type-Options: "nosniff" Header set X-Frame-Options: "sameorigin"
Aller plus loin dans les resultats SSLabs : https://community.bitnami.com/t/howto-a-on-all-tests-at-ssllabs-com-with-apache-2-4-xx/67885
Une piste pour améliorer la compliance : https://developer.mozilla.org/fr/docs/Web/Security/Public_Key_Pinning
Une autre poste encore : https://gist.github.com/GAS85/42a5469b32659a0aecc60fa2d4990308
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Pinning : https://gist.github.com/GAS85/a668b941f84c621a15ff581ae968e4cb
cat /etc/letsencrypt/live/alban.montaigu.io/cert.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
Aussi a voir ca :
Pas mal mas de weak et une compatibilité générale pas trop moche :
SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384 # HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
La référence : https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
Le fichier complet (avec quelques specificités moches dues au template ispconfig):
<IfModule mod_ssl.c> SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLCompression off SSLSessionTickets off SSLCertificateFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.crt SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # Enhance header configuration <IfModule mod_headers.c> Header always set Content-Security-Policy "upgrade-insecure-requests;" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Rewrite any session cookies to make them more secure # Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>
<IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule>
Intéressant a voir en spécifique ISPCONFIG : https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368
Pour permettre l'utilisation de certificats sur plusieurs domaines avec nameservers
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1
dpkg-reconfigure tzdata
# backup on dedibackup sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity --full-if-older-than 1M /var/www ftp://sd-154040@dedibackup-dc3.online.net/ # remove older than 6M sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity remove-older-than 6M ftp://sd-154040@dedibackup-dc3.online.net/ # Healthcheck.io silent version (no stdout/stderr output unless curl hits an error): curl -fsS -m 10 --retry 5 -o /dev/null https://hc-ping.com/986ba863-a707-4b0b-bb79-35a42e4b9f72