ServerTokens Prod ServerAdmin webmaster@gnunet.org ServerName "irclogs.gnunet.org" ServerSignature Off KeepAlive On KeepAliveTimeout 30 MaxKeepAliveRequests 1000 ExpiresActive On ExpiresDefault "access plus 5 minutes" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType application/javascript "access plus 1 week" ExpiresByType text/css "access plus 1 week" ExpiresByType image/x-icon "access plus 1 year" ExpiresByType text/html "access plus 1 minute" Header unset Cache-Control Header unset ETag FileETag None ErrorLog /var/log/apache2/gnunet-irclogs-ssl_error.log LogLevel debug CustomLog /var/log/apache2/gnunet-irclogs-ssl_access.log combined ProxyPass / uwsgi://127.0.0.1:7000/ # Enable/Disable SSL for this virtual host. SSLEngine on SSLCompression off SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1 SSLHonorCipherOrder On Header add Strict-Transport-Security "max-age=15768000 ; includeSubDomains; preload" Header add X-XSS-Protection "1; mode=block" Header add X-Frame-Options "SAMEORIGIN" Header add X-Content-Type-Options "nosniff" Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://irclogs.gnunet.org; frame-ancestors 'self'" SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #:!EDH SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem" # SSLCertificateKeyFile /etc/ssl/private/gnunet.org.key SSLCertificateKeyFile /etc/letsencrypt/live/v10.gnunet.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/v10.gnunet.org/fullchain.pem SSLCertificateFile /etc/letsencrypt/live/v10.gnunet.org/cert.pem # SSLCertificateFile /etc/ssl/certs/gnunet.org.cert # SSLCertificateChainFile /etc/ssl/private/cachain.csr SSLOptions +StrictRequire BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0