4c7c98ab90
The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
base configuration recommended by Mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
This is equivalent to a charm-helper's change:
27d6ceb385
Closes-Bug: #1886630
Change-Id: Ia8cb1ad7417014fbc20178ccc598117c97a34188
37 lines
1.4 KiB
Plaintext
37 lines
1.4 KiB
Plaintext
{% if endpoints -%}
|
|
{% for ext_port in ext_ports -%}
|
|
Listen {{ ext_port }}
|
|
{% endfor -%}
|
|
{% for address, endpoint, ext, int in endpoints -%}
|
|
<VirtualHost {{ address }}:{{ ext }}>
|
|
ServerName {{ endpoint }}
|
|
SSLEngine on
|
|
|
|
# This section is based on Mozilla's recommendation
|
|
# as the "intermediate" profile as of July 7th, 2020.
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
|
|
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
# See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
|
|
SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
|
ProxyPass / http://localhost:{{ int }}/
|
|
ProxyPassReverse / http://localhost:{{ int }}/
|
|
ProxyPreserveHost on
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
IncludeOptional /etc/apache2/mellon*/sp-location*.conf
|
|
</VirtualHost>
|
|
{% endfor -%}
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Allow from all
|
|
</Proxy>
|
|
<Location />
|
|
Order allow,deny
|
|
Allow from all
|
|
</Location>
|
|
{% endif -%}
|