Open Build Service

jsj-installtools.changes Changed

000-ssl-stapling.conf Changed

vhost-ssl-proxy.conf Changed

@@ -10,8 +10,8 @@
     <ifmodule mod_rewrite.c>
         RewriteEngine On
         RewriteCond %{HTTPS} off
-        RewriteCond %{REQUEST_URI} !^/\.well\-known/
-        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} L,R,NE
+        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme-challenge/
+        RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} R=301,QSA,L
     </ifmodule>
     <Directory "/srv/www/HOSTNAME/htdocs">
         Options -Indexes -FollowSymLinks
@@ -28,10 +28,22 @@
     CustomLog /var/log/apache2/HOSTNAME-access_log combined
     CustomLog /var/log/apache2/ssl_request_log   ssl_combined
     SSLEngine on
-    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-    SSLHonorCipherOrder on
     SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
+    SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
+
+    ### SSL configuration https://ssl-config.mozilla.org/:
+    ### choose!
+    ### next 3 lines Mozilla configuration intermediate
+    SSLProtocol -all +TLSv1.2 +TLSv1.3
+    SSLHonorCipherOrder on
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ### next 2 lines Mozilla configuration modern
+    #SSLProtocol             -all +TLSv1.3
+    #SSLHonorCipherOrder     off
+    ### end: SSL configuration
+
+    # enable HTTP/2, if available
+    Protocols h2 http/1.1
     <IfModule mod_headers.c>
         Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
         Header always set X-Frame-Options SAMEORIGIN
@@ -45,7 +57,6 @@
     SSLCertificateKeyFile /etc/apache2/ssl.key/HOSTNAME.DOMAINNAME.key
 
     <IfModule mod_proxy.c>
-	ProxyPreserveHost Off
 	SSLProxyEngine  On
 	SSLProxyVerify none
 	SSLProxyCheckPeerCN off
@@ -59,9 +70,10 @@
 	</Proxy>
 	ProxyPass / https://PROXYDESTHN.PROXYDESTDN/
 	ProxyPassReverse / https://PROXYDESTHN.PROXYDESTDN/
-	Header set Host PROXYDESTHN.PROXYDESTDN
-	RequestHeader set Host PROXYDESTHN.PROXYDESTDN
-	RequestHeader set Origin https://PROXYDESTHN.PROXYDESTDN
+	ProxyPreserveHost On
+	#Header set Host PROXYDESTHN.PROXYDESTDN
+	#RequestHeader set Host PROXYDESTHN.PROXYDESTDN
+	#RequestHeader set Origin https://PROXYDESTHN.PROXYDESTDN
 	Header unset Referer
 	RequestHeader unset Referer
     </IfModule>

vhost-ssl.conf Changed

@@ -10,8 +10,8 @@
     <ifmodule mod_rewrite.c>
         RewriteEngine On
         RewriteCond %{HTTPS} off
-        RewriteCond %{REQUEST_URI} !^/\.well\-known/
-        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} L,R,NE
+        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme-challenge/
+        RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} R=301,QSA,L
     </ifmodule>
     <Directory "/srv/www/HOSTNAME/htdocs">
         Options -Indexes -FollowSymLinks
@@ -28,10 +28,22 @@
     CustomLog /var/log/apache2/HOSTNAME-access_log combined
     CustomLog /var/log/apache2/ssl_request_log   ssl_combined
     SSLEngine on
-    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-    SSLHonorCipherOrder on
     SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
+    SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
+    SSLHonorCipherOrder off
+
+    ### SSL configuration https://ssl-config.mozilla.org/:
+    ### choose!
+    ### next 2 lines Mozilla configuration intermediate
+    SSLProtocol -all +TLSv1.2 +TLSv1.3
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ### next 2 lines Mozilla configuration modern
+    #SSLProtocol             -all +TLSv1.3
+    #SSLHonorCipherOrder     off
+    ### end: SSL configuration
+
+    # enable HTTP/2, if available
+    Protocols h2 http/1.1
     <IfModule mod_headers.c>
         Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
         Header always set X-Frame-Options SAMEORIGIN

Changes of Revision 124