Cipherli.st - Chiffrements forts pour Apache, nginx et Lighttpd
Attention:
Ces exemples sont destinés aux Administrateurs/Ingénieurs systèmes qui l'ont déjà fait, comme exemple facilement copiable, pas pour les débutants qui n'ont aucune idée de ce que cela signifie.
Les paramètres sont très sécurisés, mais si vous ne savez pas ce que vous faites, votre site Web et vos sous-domaines pourraient être indisponibles pendant très longtemps (voir HSTS).
Recherchez ce que vous faites et pensez avant d'agir.
Autres suggestions
- certificats sha256
- Clé privée 4096 bits
- > 2048 DH Taille de la Pool Size - # openssl dhparam -out dhparams.pem 4096</bootnote>
Apache
Rationale and tutorial on Strong SSL Security on Apache
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM # Requires Apache 2.4.36 & OpenSSL 1.1.1 SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1 # Older versions # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
Nginx
Rationale and tutorial on Strong SSL Security on Apache
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
Lighttpd
Rationale and tutorial on Strong SSL Security on Apache
ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM" ssl.use-compression = "disable" ssl.dh-file = "/etc/lighttpd/dhparam.pem" # openssl dhparam -out /etc/lighttpd/dhparam.pem 4096 setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3") # v1.4.48 or up ssl.ec-curve = "secp384r1"