Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
Description
If someone passes in the env var:
SELF_SIGNED_CERT='true'
Then copy a file to /etc/httpd/conf.d/ssl-enabled.conf
with contents:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
SSLHonorCipherOrder on
|
SSLCompression off
|
# OCSP Stapling, only in httpd 2.3.3 and later |
SSLUseStapling on
|
SSLStaplingResponderTimeout 5 |
SSLStaplingReturnResponderErrors off
|
SSLStaplingCache shmcb:/var/run/ocsp(128000) |
Listen 443 https |
<VirtualHost *:443> |
RewriteEngine on
|
RewriteRule "^/$" "/grouper/" [R] |
SSLEngine on
|
#SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
|
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key |
# HSTS (mod_headers is required) (15768000 seconds = 6 months) |
Header always set Strict-Transport-Security "max-age=15768000" |
</VirtualHost>
|
|