Apache Pre VirtualHost Include and SSL Cipher Suite cPanel Config
Just being nice today...
I found this following configuration below is very helpful in providing solid security on cPanel servers.
Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs)
No weak Cipher Suites at all.
Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you.
SSL Cipher Suite
Apache Pre VirtualHost Include
I hope this helps you all out.
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
Apache Pre VirtualHost Include
# Enable SSLUseStapling
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLHonorCipherOrder On
SSLCompression off
# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable HTTP Secure Cookie
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# DISABLE CACHING
Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
# Enable GZIP Compression.
SetOutputFilter DEFLATE
# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won't work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don't compress images
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
I hope this helps you all out.
-
Hello, Thank you for the contribution. SSL Ciphers for Apache can be modified in WHM Home "Service Configuration "Apache Configuration under the Global Configuration. Documentation for this feature is available here: Apache Configuration - Documentation - cPanel Documentation 0 -
Thank you again vlee! This suite looks good! I just need to figure out how to change the sort order so all 256 are preferred over 128. Just being nice today... I found this following configuration below is very helpful in providing solid security on cPanel servers. Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs) No weak Cipher Suites at all. Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you. SSL Cipher Suite
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
I hope this helps you all out.0 -
Udated SSL Ciphers for Apache EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA
0
Please sign in to leave a comment.
Comments
3 comments