X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/d7897a0aa9147b2cea021cf478461ae9df12277c..94d510fe3242731a3a91e5f68eba46d596865657:/cookbooks/apache/templates/default/ssl.erb?ds=sidebyside diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb index 8035d4289..ccfef6048 100644 --- a/cookbooks/apache/templates/default/ssl.erb +++ b/cookbooks/apache/templates/default/ssl.erb @@ -1,8 +1,20 @@ # DO NOT EDIT - This file is being maintained by Chef +SSLProtocol All -SSLv2 -SSLv3 + SSLHonorCipherOrder On -SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM +SSLCipherSuite <%= node[:ssl][:openssl_ciphers] %> + +SSLUseStapling On +SSLStaplingResponderTimeout 5 +SSLStaplingErrorCacheTimeout 60 +SSLStaplingReturnResponderErrors off +SSLStaplingFakeTryLater off +SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000) -SSLCertificateFile /etc/ssl/certs/<%= @certiifcate %>.pem -SSLCertificateKeyFile /etc/ssl/private/<%= @certiifcate %>.key -SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem +Header always set Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" "expr=%{HTTPS} == 'on'" +<% if node[:ssl][:ct_report_uri] -%> +Header always set Expect-CT "max-age=0, report-uri=\"<%= node[:ssl][:ct_report_uri] %>\"" "expr=%{HTTPS} == 'on'" +<% else -%> +Header always set Expect-CT "max-age=0" "expr=%{HTTPS} == 'on'" +<% end -%>