Patrick Oberdorf · 6203cf35
--- a/templates/default/vHost.conf.erb

+ 15

− 2
+++ b/templates/default/vHost.conf.erb

+ 15

− 2
 @@ -138,6 +138,20 @@
 				downgrade-1.0 force-response-1.0
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+		## Secure SSL config. See: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+		SSLProtocol All -SSLv2 -SSLv3
+		SSLHonorCipherOrder On
+		SSLCompression off
+		# Add six earth month HSTS header for all users...
+		# ATTENTION! Needs header module enabled.
+		 Header always set Strict-Transport-Security "max-age=15768000"
+		# If you want to protect all subdomains, use the following header
+		# ALL subdomains HAVE TO support HTTPS if you use this!
+		# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
+		SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:$
+
 	</VirtualHost>
 </IfModule>

 @@ -161,4 +175,4 @@

  CustomLog /var/log/apache2/access.log combined
  ServerSignature On
-</VirtualHost>
 \ No newline at end of file
+</VirtualHost>