]>
Commit | Line | Data |
---|---|---|
11fdf7f2 TL |
1 | # Instructions to run (on Linux) to reproduce test results: |
2 | # | |
3 | # 1) copy civetweb executable here (examples/https directory) | |
4 | # 2) sudo ./civetweb | |
5 | # | |
6 | # Instructions to adapt to your own server: | |
7 | # | |
8 | # 1) generate your own server cert | |
9 | # 2) generate at least one backup server cert | |
10 | # in case you want a self signed cert, you can use the script | |
11 | # in resources/cert for both steps | |
12 | # 3) copy the content of the *.pin files into the Public-Key-Pins | |
13 | # header config (the base64 encoded certificate hash) | |
14 | # 4) set the document root, and all other required http server settings | |
15 | # 5) Run the tests from the three websites below. They will tell you | |
16 | # also what clients are compatible with your settings. The settings | |
17 | # here are very strict and lock out most older clients/browsers. | |
18 | # You will find some hints for fine tuning there as well. | |
19 | # 6) If you know all your clients, and give them client certificates in | |
20 | # advance, you can significantly improve security by setting | |
21 | # "ssl_verify_peer" to "yes" and specifying a client cert (directory) | |
22 | # using "ssl_ca_file/path". This will lock out all clients without a | |
23 | # proper certificate. Don't use it for your public home page, but | |
24 | # consider it for your private remote access server. | |
25 | # 7) run civetweb, like above - or better create your own start script | |
26 | # You are welcome to share your thoughts and experience on GitHub | |
27 | # (or Google groups) - see README.md in CivetWeb main directory | |
28 | ||
29 | # Don't run as super user, switch back to a regular user | |
30 | run_as_user user | |
31 | ||
32 | # The standard HTTP port 80 should redirect to the standard HTTPS port 443 | |
33 | listening_ports 80r,443s | |
34 | ||
35 | # Don't forget to set the document root and domain | |
36 | #document_root tdb | |
37 | #authentication_domain mydomain.com | |
38 | ||
39 | # Set the a certificate | |
40 | ssl_certificate ../../resources/cert/server.pem | |
41 | ||
42 | # Require a client cert for your private server (see above) | |
43 | #ssl_verify_peer yes | |
44 | #ssl_ca_file ../../resources/cert/client.pem | |
45 | ||
46 | # Enforce TLS1.2 and some strong cipher(s) | |
47 | ssl_protocol_version 4 | |
48 | ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS | |
49 | ||
50 | # Tell all browsers to access this site only as HTTPS for the next 180 days | |
51 | strict_transport_security_max_age 15552000 | |
52 | ||
53 | # Set some HTTP security header, see https://securityheaders.io | |
54 | additional_header Content-Security-Policy: script-src 'self' | |
55 | additional_header X-Frame-Options: SAMEORIGIN | |
56 | additional_header X-Xss-Protection: 1; mode=block | |
57 | additional_header X-Content-Type-Options: nosniff | |
58 | additional_header Referrer-Policy: same-origin | |
59 | additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000 | |
60 | #additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report" | |
61 | ||
62 | ||
63 | # Ratings from 2017-09-03 (tests performed later may require more | |
64 | # strict security settings) | |
65 | # | |
66 | # Headers rated A+ from https://securityheaders.io/ | |
67 | # | |
68 | # SSL rated B from https://www.htbridge.com/ssl when using a self signed | |
69 | # certificate, but no other weaknesses for modern browsers. | |
70 | # Site remarks some older TLS versions and some weaker ciphers are not | |
71 | # supported (but that's accessibility, not security). | |
72 | # | |
73 | # HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self | |
74 | # signed certificate, generated with make_certs.sh in resources/cert/ | |
75 | # and adding the server.pin and server_bkup.pin content into the | |
76 | # Public-Key-Pins header above. | |
77 | # | |
78 | # A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert) | |
79 | # from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/ | |
80 | # (Note: this test is runs with reverse DNS name, while all others use the | |
81 | # IP address). | |
82 | # | |
83 | # Note: This settings are very strict and prevent some older but still common | |
84 | # versions of major browsers to access this site. The test web sites will give | |
85 | # you an overview. Test, before you use this settings. | |
86 |