waja revised this gist 11 years ago. Go to revision
1 file changed, 15 insertions
ssl_strong.conf(file created)
| @@ -0,0 +1,15 @@ | |||
| 1 | + | # this is a nginx config snippet, put me into /etc/nginx/conf.d | |
| 2 | + | ssl_ciphers "AES256+EECDH:AES256+EDH"; | |
| 3 | + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 4 | + | ssl_prefer_server_ciphers on; | |
| 5 | + | ssl_session_cache shared:SSL:10m; | |
| 6 | + | ssl_session_timeout 10m; | |
| 7 | + | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; | |
| 8 | + | add_header X-Frame-Options DENY; | |
| 9 | + | add_header X-Content-Type-Options nosniff; | |
| 10 | + | ssl_stapling on; # Requires nginx >= 1.3.7 | |
| 11 | + | ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
| 12 | + | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | |
| 13 | + | resolver_timeout 5s; | |
| 14 | + | # for checking that service | |
| 15 | + | testssl.sh --poodle <vHost> | grep POODLE | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 26 insertions
fix_apache2_strong.sh(file created)
| @@ -0,0 +1,26 @@ | |||
| 1 | + | #!/bin/sh | |
| 2 | + | if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then | |
| 3 | + | if ! [ -f /etc/apache2/conf.d/x_strong_cipherlist.conf ]; then | |
| 4 | + | cat <<EOF >> /etc/apache2/conf.d/x_strong_cipherlist.conf | |
| 5 | + | <IfModule mod_ssl.c> | |
| 6 | + | SSLCipherSuite AES256+EECDH:AES256+EDH | |
| 7 | + | SSLProtocol All -SSLv2 -SSLv3 | |
| 8 | + | SSLHonorCipherOrder On | |
| 9 | + | <IfVersion >= 2.4> | |
| 10 | + | SSLCompression off # Requires Apache >= 2.4 | |
| 11 | + | SSLUseStapling on # Requires Apache >= 2.4 | |
| 12 | + | SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4 | |
| 13 | + | </IfVersion> | |
| 14 | + | </IfModule> | |
| 15 | + | <IfModule mod_headers.c> | |
| 16 | + | Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" | |
| 17 | + | Header always set X-Frame-Options DENY | |
| 18 | + | Header always set X-Content-Type-Options nosniff | |
| 19 | + | </IfModule> | |
| 20 | + | EOF | |
| 21 | + | /etc/init.d/apache2 restart | |
| 22 | + | fi | |
| 23 | + | fi | |
| 24 | + | exit 0 | |
| 25 | + | # for checking that service | |
| 26 | + | testssl.sh --poodle <vHost> | grep POODLE | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 2 insertions, 2 deletions
fix_apache2.sh
| @@ -1,6 +1,6 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | #if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | - | if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 2 | + | #if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then | |
| 3 | + | if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then | |
| 4 | 4 | if ! [ -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 5 | 5 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 6 | 6 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 2 insertions, 2 deletions
fix_apache2.sh
| @@ -1,6 +1,6 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | #if [ "$(netstat -tapn | grep ':443' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | - | if [ "$(netstat -tapn | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 2 | + | #if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | + | if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 4 | 4 | if ! [ -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 5 | 5 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 6 | 6 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 2 insertions, 1 deletion
fix_apache2.sh
| @@ -1,5 +1,6 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ "$(netstat -tapn | grep ':443' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 2 | + | #if [ "$(netstat -tapn | grep ':443' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | + | if [ "$(netstat -tapn | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | 4 | if ! [ -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 5 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 6 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 1 insertion, 1 deletion
fix_apache2.sh
| @@ -1,6 +1,6 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | 2 | if [ "$(netstat -tapn | grep ':443' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | - | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 3 | + | if ! [ -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 5 | <IfModule mod_ssl.c> | |
| 6 | 6 | SSLProtocol all -SSLv2 -SSLv3 | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 1 insertion, 1 deletion
fix_apache2.sh
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ "$(netstat -tapn | grep ":443" | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then | |
| 2 | + | if [ "$(netstat -tapn | grep ':443' | awk {'print $7'} | sed 's#^[0-9]*/##')" = "apache2" ]; then | |
| 3 | 3 | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 5 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 1 insertion, 1 deletion
fix_apache2.sh
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ "$(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then | |
| 2 | + | if [ "$(netstat -tapn | grep ":443" | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then | |
| 3 | 3 | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 5 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 1 insertion, 1 deletion
fix_apache2.sh
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") == "apache2" ]; then | |
| 2 | + | if [ "$(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then | |
| 3 | 3 | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 5 | <IfModule mod_ssl.c> | |
waja revised this gist 11 years ago. Go to revision
1 file changed, 1 insertion, 1 deletion
fix_apache2.sh
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") = "apache2" ]; then | |
| 2 | + | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") == "apache2" ]; then | |
| 3 | 3 | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 5 | 5 | <IfModule mod_ssl.c> | |