Browse Source
Merge pull request #292 from SuperTux88/fix-ssl-conf
Refactor ssl.conf for debiantags/v1.1.0
N
4 years ago
1 changed files with 16 additions and 9 deletions
+ 16
- 9
apache/files/Debian/ssl.conf.jinja
View File
| @@ -39,7 +39,7 @@ | |||
| SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase | |||
| # Inter-Process Session Cache: | |||
| # Configure the SSL Session Cache: First the mechanism | |||
| # Configure the SSL Session Cache: First the mechanism | |||
| # to use and second the expiring timeout (in seconds). | |||
| # (The mechanism dbm has known memory leaks and should not be used). | |||
| #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache | |||
| @@ -48,7 +48,7 @@ | |||
| # Semaphore: | |||
| # Configure the path to the mutual exclusion semaphore the | |||
| # SSL engine uses internally for inter-process synchronization. | |||
| # SSL engine uses internally for inter-process synchronization. | |||
| # (Disabled by default, the global Mutex directive consolidates by default | |||
| # this) | |||
| #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache | |||
| @@ -59,7 +59,7 @@ | |||
| # ciphers(1) man page from the openssl package for list of all available | |||
| # options. | |||
| # Enable only secure ciphers: | |||
| {# default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} | |||
| {#- default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} | |||
| SSLCipherSuite {{ salt['pillar.get']('apache:ssl:SSLCipherSuite', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }} | |||
| # SSL server cipher order preference: | |||
| @@ -84,18 +84,25 @@ | |||
| # Default: Off | |||
| #SSLStrictSNIVHostCheck On | |||
| {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %} | |||
| {% if use_stapling == 'On' %} | |||
| {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') -%} | |||
| {% if use_stapling == 'On' -%} | |||
| # Stapling configuration | |||
| # Default: Off | |||
| # | |||
| # See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details | |||
| # Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |||
| SSLUseStapling {{ use_stapling }} | |||
| SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }} | |||
| SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }} | |||
| SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} | |||
| {% endif %} | |||
| SSLStaplingResponderTimeout {{ salt['pillar.get']('apache:ssl:SSLStaplingResponderTimeout', '5') }} | |||
| SSLStaplingReturnResponderErrors {{ salt['pillar.get']('apache:ssl:SSLStaplingReturnResponderErrors', 'Off') }} | |||
| SSLStaplingCache {{ salt['pillar.get']('apache:ssl:SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} | |||
| {%- endif %} | |||
| {% set ssl_session_ticket = salt['pillar.get']('apache:ssl:SSLSessionTickets') -%} | |||
| {% if ssl_session_ticket -%} | |||
| # Enable or disable use of TLS session tickets | |||
| # Default: On | |||
| SSLSessionTickets {{ ssl_session_ticket }} | |||
| {%- endif %} | |||
| </IfModule> | |||
| # vim: syntax=apache ts=4 sw=4 sts=4 sr noet | |||
Loading…