install/apache2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_httpd-2.4.sh: change some SSL default settings.

Browse Source
This commit is contained in:
Christoph 2023-05-01 14:24:52 +02:00
parent 34113e3e61
commit e40efbe0d4
1 changed files with 141 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
install_httpd-2.4.sh
View File

@ -39,12 +39,6 @@ else
_PHP_VERSION=7.4.33
fi
#_SSL_Cipher_Suite='ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256'
# see: https://ssl-config.mozilla.org
#
_SSL_Cipher_Suite='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
## - Determin IP-Adresses
## -
@ -109,6 +103,19 @@ DIRECTORY_INDEX="index.html index.htm index.php"
MUTEX_DIR="${APACHE_LOG_DIR}/ssl_mutex"
#_SSL_Cipher_Suite='ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256'
# see: https://ssl-config.mozilla.org
#
_SSL_Cipher_Suite='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
_SSL_HONOR_CIPHER_ORDER="off"
_SSL_COMPRESSION="off"
_SSL_SESSION_TICKETS="off"
_SSL_USE_STAPLING="on"
_SSL_STAPLING_CACHE="shmcb:${APACHE_LOG_DIR}/ssl_stapling(32768)"
_BASE_WEBSPACE_DIR="/var/www"
#_GLOBAL_DOC_ROOT="${_BASE_WEBSPACE_DIR}/default"
#_SUEXEC_DOC_ROOT=$_BASE_WEBSPACE_DIR
@ -2454,22 +2461,22 @@ EOF
echo_skipped
fi
# ## - Set SSLCipherSuite
# ## -
# echo "" >> ${_logdir}/main.log
# echo "## - $_file: Set SSLCipherSuite.." >> ${_logdir}/main.log
# echo "## -" >> ${_logdir}/main.log
# echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
# echononl "\t$_file: Set SSLCipherSuite.."
# sed -i$_backup_suffix -r \
# -e "s&^(([ ^t]*SSLCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g" \
# ${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
# if [ "0" = $? ]; then
# echo_ok
# rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
# else
# echo_failed
# fi
## - Set SSLCipherSuite
## -
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLCipherSuite.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set SSLCipherSuite.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*SSLCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
## - Set SSLCertificateFile
@ -2490,22 +2497,22 @@ EOF
fi
# ## - Set SSLProxyCipherSuite
# ## -
# echo "" >> ${_logdir}/main.log
# echo "## - $_file: Set SSLProxyCipherSuite.." >> ${_logdir}/main.log
# echo "## -" >> ${_logdir}/main.log
# echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProxyCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
# echononl "\t$_file: Set SSLProxyCipherSuite.."
# sed -i$_backup_suffix -r \
# -e "s&^(([ ^t]*SSLProxyCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g" \
# ${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
# if [ "0" = $? ]; then
# echo_ok
# rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
# else
# echo_failed
# fi
## - Set SSLProxyCipherSuite
## -
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLProxyCipherSuite.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*SSLProxyCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set SSLProxyCipherSuite.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*SSLProxyCipherSuite ).*)$&## \1\n\2${_SSL_Cipher_Suite}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
## - Set SSLProtocol
@ -2545,13 +2552,16 @@ EOF
## - Set SSLHonorCipherOrder
## -
_key="SSLHonorCipherOrder"
_val="${_SSL_HONOR_CIPHER_ORDER}"
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLHonorCipherOrder.." >> ${_logdir}/main.log
echo "## - $_file: Set ${_key}.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*#*[ ^t]*SSLHonorCipherOrder ).*)$&##\1\nSSLHonorCipherOrder on&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set SSLHonorCipherOrder.."
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set ${_key}.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*#*[ ^t]*SSLHonorCipherOrder ).*)$&##\1\nSSLHonorCipherOrder on&g" \
-e "s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
@ -2560,24 +2570,101 @@ EOF
echo_failed
fi
## - Set SSLUseStapling
## -
_key="SSLUseStapling"
_val="${_SSL_USE_STAPLING}"
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set ${_key}.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set ${_key}.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
## - Set SSLUseStapling
## -
_key="SSLStaplingCache"
_val="${_SSL_STAPLING_CACHE}"
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set ${_key}.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
echononl "\t$_file: Set ${_key}.."
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
## - Set SSLSessionTickets
## -
_key="SSLSessionTickets"
_val="${_SSL_SESSION_TICKETS}"
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set ${_key}.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
echononl "\t$_file: Set ${_key}.."
if $(grep -i -q -E "^\s*#?\s*${_key}" ${PREFIX}/${_rel_confextra_path}/${_file} 2>> ${_logdir}/main.log) ; then
echo "sed -i$_backup_suffix -r -e \"s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
sed -i$_backup_suffix -r \
-e "s&^(([ ^t]*#*[ ^t]*${_key} ).*)$&##\1\n${_key} ${_val}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
else
echo "sed -i$_backup_suffix -r -e \"s&^([ ^t]*#*[ ^t]*SSLHonorCipherOrder.*)&\1\n${_key} ${_val}&g\" ${PREFIX}/${_rel_confextra_path}/${_file}" >> ${_logdir}/main.log
sed -i$_backup_suffix -r \
-e "s&^([ ^t]*SSLHonorCipherOrder .*)$&\1\n${_key} ${_val}&g" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
rm ${PREFIX}/${_rel_confextra_path}/${_file}$_backup_suffix
else
echo_failed
fi
fi
## - Set SSLCompression
## -
_key="SSLCompression"
_val="${_SSL_COMPRESSION}"
ssl_compression_comment="# SSLCompression
#
# Note:
# Enabling compression causes security issues in most setups (the so called CRIME attack)."
echo "" >> ${_logdir}/main.log
echo "## - $_file: Set SSLCompression.." >> ${_logdir}/main.log
echo "## - $_file: Set ${_key}.." >> ${_logdir}/main.log
echo "## -" >> ${_logdir}/main.log
cat <<EOF >> ${_logdir}/main.log
perl -i$_backup_suffix -n -p \\
-e "s&^(\s*SSLHonorCipherOrder\s+.*)&\1\n\n${ssl_compression_comment}\nSSLCompression off&" \\
-e "s&^(\s*${_key}Order\s+.*)&\1\n\n${ssl_compression_comment}\n${_key} ${_val}&" \\
${PREFIX}/${_rel_confextra_path}/${_file}
EOF
echononl "\t$_file: Set SSLCompression.."
echononl "\t$_file: Set ${_key}.."
perl -i$_backup_suffix -n -p \
-e "s&^(\s*SSLHonorCipherOrder\s+.*)&\1\n\n${ssl_compression_comment}\nSSLCompression off&" \
-e "s&^(\s*SSLHonorCipherOrder\s+.*)&\1\n\n${ssl_compression_comment}\n${_key} ${_val}&" \
${PREFIX}/${_rel_confextra_path}/${_file} >> ${_logdir}/main.log 2>&1
if [ "0" = $? ]; then
echo_ok
@ -4030,8 +4117,11 @@ $_vhost_default_80
RewriteEngine On
RewriteCond %{HTTP_HOST} ^autoconfig\. [NC]
RewriteRule ^/(.*) http://autoconfig.${_DOMAIN}.${_TLD}/\$1 [L,R=301,NE]
#RewriteCond %{HTTP_HOST} !^autoconfig\. [NC]
#RewriteRule ^/(.*) http://www.${_DOMAIN}.${_TLD} [L,R=301,NE]
RewriteCond %{HTTP_HOST} !^autoconfig\. [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
DocumentRoot "$GLOBAL_DOC_ROOT"
@ -4141,9 +4231,10 @@ $_vhost_default_443
SSLEngine on
## - don't support weak ciphers
SSLHonorCipherOrder On
SSLHonorCipherOrder Off
SSLSessionTickets Off
SSLCompression Off
SSLProtocol ALL -SSLv2 -SSLv3
SSLProtocol ALL -SSLv3 -TLSv1 -TLSv1.1
SSLCertificateFile /usr/local/apache2/conf/server-bundle.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key