[ceph.git] / ceph / src / civetweb / examples / https / civetweb.conf

# Instructions to run (on Linux) to reproduce test results:
# 
# 1) copy civetweb executable here (examples/https directory)
# 2) sudo ./civetweb
#
# Instructions to adapt to your own server:
#
# 1) generate your own server cert
# 2) generate at least one backup server cert
#    in case you want a self signed cert, you can use the script
#    in resources/cert for both steps
# 3) copy the content of the *.pin files into the Public-Key-Pins
#    header config (the base64 encoded certificate hash)
# 4) set the document root, and all other required http server settings
# 5) Run the tests from the three websites below. They will tell you
#    also what clients are compatible with your settings. The settings
#    here are very strict and lock out most older clients/browsers.
#    You will find some hints for fine tuning there as well.
# 6) If you know all your clients, and give them client certificates in
#    advance, you can significantly improve security by setting
#    "ssl_verify_peer" to "yes" and specifying a client cert (directory)
#    using "ssl_ca_file/path". This will lock out all clients without a
#    proper certificate. Don't use it for your public home page, but
#    consider it for your private remote access server.
# 7) run civetweb, like above - or better create your own start script
# You are welcome to share your thoughts and experience on GitHub 
# (or Google groups) - see README.md in CivetWeb main directory

# Don't run as super user, switch back to a regular user
run_as_user user

# The standard HTTP port 80 should redirect to the standard HTTPS port 443
listening_ports 80r,443s

# Don't forget to set the document root and domain
#document_root tdb
#authentication_domain mydomain.com

# Set the a certificate
ssl_certificate ../../resources/cert/server.pem

# Require a client cert for your private server (see above)
#ssl_verify_peer yes
#ssl_ca_file ../../resources/cert/client.pem

# Enforce TLS1.2 and some strong cipher(s)
ssl_protocol_version 4
ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS

# Tell all browsers to access this site only as HTTPS for the next 180 days
strict_transport_security_max_age 15552000                                  

# Set some HTTP security header, see https://securityheaders.io
additional_header Content-Security-Policy: script-src 'self'
additional_header X-Frame-Options: SAMEORIGIN
additional_header X-Xss-Protection: 1; mode=block
additional_header X-Content-Type-Options: nosniff
additional_header Referrer-Policy: same-origin
additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000
#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report"


# Ratings from 2017-09-03 (tests performed later may require more
# strict security settings)
#
# Headers rated A+ from https://securityheaders.io/
#
# SSL rated B from https://www.htbridge.com/ssl when using a self signed
# certificate, but no other weaknesses for modern browsers.
# Site remarks some older TLS versions and some weaker ciphers are not
# supported (but that's accessibility, not security).
#
# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self
# signed certificate, generated with make_certs.sh in resources/cert/
# and adding the server.pin and server_bkup.pin content into the
# Public-Key-Pins header above.
#
# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert)
# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/
# (Note: this test is runs with reverse DNS name, while all others use the
# IP address).
#
# Note: This settings are very strict and prevent some older but still common
# versions of major browsers to access this site. The test web sites will give
# you an overview. Test, before you use this settings.
Commit	Line	Data
11fdf7f2 TL	1	# Instructions to run (on Linux) to reproduce test results:
	2	#
	3	# 1) copy civetweb executable here (examples/https directory)
	4	# 2) sudo ./civetweb
	5	#
	6	# Instructions to adapt to your own server:
	7	#
	8	# 1) generate your own server cert
	9	# 2) generate at least one backup server cert
	10	# in case you want a self signed cert, you can use the script
	11	# in resources/cert for both steps
	12	# 3) copy the content of the *.pin files into the Public-Key-Pins
	13	# header config (the base64 encoded certificate hash)
	14	# 4) set the document root, and all other required http server settings
	15	# 5) Run the tests from the three websites below. They will tell you
	16	# also what clients are compatible with your settings. The settings
	17	# here are very strict and lock out most older clients/browsers.
	18	# You will find some hints for fine tuning there as well.
	19	# 6) If you know all your clients, and give them client certificates in
	20	# advance, you can significantly improve security by setting
	21	# "ssl_verify_peer" to "yes" and specifying a client cert (directory)
	22	# using "ssl_ca_file/path". This will lock out all clients without a
	23	# proper certificate. Don't use it for your public home page, but
	24	# consider it for your private remote access server.
	25	# 7) run civetweb, like above - or better create your own start script
	26	# You are welcome to share your thoughts and experience on GitHub
	27	# (or Google groups) - see README.md in CivetWeb main directory
	28
	29	# Don't run as super user, switch back to a regular user
	30	run_as_user user
	31
	32	# The standard HTTP port 80 should redirect to the standard HTTPS port 443
	33	listening_ports 80r,443s
	34
	35	# Don't forget to set the document root and domain
	36	#document_root tdb
	37	#authentication_domain mydomain.com
	38
	39	# Set the a certificate
	40	ssl_certificate ../../resources/cert/server.pem
	41
	42	# Require a client cert for your private server (see above)
	43	#ssl_verify_peer yes
	44	#ssl_ca_file ../../resources/cert/client.pem
	45
	46	# Enforce TLS1.2 and some strong cipher(s)
	47	ssl_protocol_version 4
	48	ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS
	49
	50	# Tell all browsers to access this site only as HTTPS for the next 180 days
	51	strict_transport_security_max_age 15552000
	52
	53	# Set some HTTP security header, see https://securityheaders.io
	54	additional_header Content-Security-Policy: script-src 'self'
	55	additional_header X-Frame-Options: SAMEORIGIN
	56	additional_header X-Xss-Protection: 1; mode=block
	57	additional_header X-Content-Type-Options: nosniff
	58	additional_header Referrer-Policy: same-origin
	59	additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000
	60	#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report"
	61
	62
	63	# Ratings from 2017-09-03 (tests performed later may require more
	64	# strict security settings)
65	#
66	# Headers rated A+ from https://securityheaders.io/
67	#
68	# SSL rated B from https://www.htbridge.com/ssl when using a self signed
69	# certificate, but no other weaknesses for modern browsers.
70	# Site remarks some older TLS versions and some weaker ciphers are not
71	# supported (but that's accessibility, not security).
72	#
73	# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self
74	# signed certificate, generated with make_certs.sh in resources/cert/
75	# and adding the server.pin and server_bkup.pin content into the
76	# Public-Key-Pins header above.
77	#
78	# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert)
79	# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/
80	# (Note: this test is runs with reverse DNS name, while all others use the
81	# IP address).
82	#
83	# Note: This settings are very strict and prevent some older but still common
84	# versions of major browsers to access this site. The test web sites will give
85	# you an overview. Test, before you use this settings.
86