lighttpd sample conf security enhancement

2014-10-16 22:52:28 +02:00 · 2014-10-16 22:52:28 +02:00 · 1ee2b631db
commit 1ee2b631db
parent d4abc91d1f
1 changed files with 5 additions and 0 deletions
--- a/doc/install/sample-lighttpd.conf
+++ b/doc/install/sample-lighttpd.conf
@ -67,6 +67,11 @@ $SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.ca-file = "/etc/lighttpd/certs/ca-certs.crt" #adjust to your needs
  ssl.pemfile = "/etc/lighttpd/certs/red-ssl.crt" #adjust to your needs
+
+  ssl.use-compression = "disable"
+  ssl.use-sslv2 = "disable"
+  ssl.use-sslv3 = "disable"
+  ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 }

 ### RISTRICT ACCESS TO DIRECTORYS AND FILES