Installation de dokuwiki
Liste des plugins:
- Pour le wysiwg Prosemirror à évaluer.
- Ou encore CGK editor
Installation de wallabag
Un petit bug qui traîne : https://github.com/wallabag/wallabag/issues/2768
Et la solution
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Hardening TLS Apache2
Hardening de base : https://wiki.debian.org/Apache/Hardening
Évaluation de base : https://www.ssllabs.com/ssltest/analyze.html?d=alban.montaigu.io&s=163.172.180.167
La partie hardening TLS : https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Activation DNS CAA : https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum
Autre tuto intéressant : https://community.bitnami.com/t/howto-a-on-all-tests-at-ssllabs-com-with-apache-2-4-xx/67885 mais à priori trop violent pour les vieux matériels
Activation HSTS aussi : https://www.justegeek.fr/activer-len-tete-hsts-sur-apache-pour-proteger-son-site-web/?cn-reloaded=1
nano /etc/apache2/conf-enabled/security.com
ServerTokens Prod
ServerSignature Off
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Aller plus loin dans les résultats SSLabs : https://community.bitnami.com/t/howto-a-on-all-tests-at-ssllabs-com-with-apache-2-4-xx/67885
Une piste pour améliorer la compliance : https://developer.mozilla.org/fr/docs/Web/Security/Public_Key_Pinning
Une autre piste encore : https://gist.github.com/GAS85/42a5469b32659a0aecc60fa2d4990308
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Pinning : https://gist.github.com/GAS85/a668b941f84c621a15ff581ae968e4cb
cat /etc/letsencrypt/live/alban.montaigu.io/cert.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
Aussi à voir ça :
- https://community.letsencrypt.org/t/how-to-get-100-on-ssllabs-com-with-nginx/114196
- https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
- https://serverfault.com/questions/877774/trying-to-get-100-in-ssllabs-com-key-exchange/877784
- https://itigloo.com/2017/02/21/how-to-get-an-a-rating-with-100-score-on-the-ssllabs-test-with-apache/
- https://security.stackexchange.com/questions/166484/how-to-disable-cbc-mode-ciphers
- https://wiki.csnu.org/index.php/S%C3%A9curisation_SSL_/_TLS_de_apache
Pas mal mais de weak et une compatibilité générale pas trop moche :
SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384
# HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
La référence : https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
Le fichier complet (avec quelques spécificités moches dues au template ispconfig):
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.crt
SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/alban.montaigu.io-le.key
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# Enhance header configuration
<IfModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Rewrite any session cookies to make them more secure
# Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule><IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>Intéressant à voir en spécifique ISPCONFIG : https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368
Pour permettre l’utilisation de certificats sur plusieurs domaines avec nameservers
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1
Important : La partie X25519 est particulièrement importante sinon les autres sous domaines ne fonctionneront pas.
Post configuration
Changer la timezone
dpkg-reconfigure tzdataBackup duplicity
# backup on dedibackup
sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity --full-if-older-than 1M /var/www ftp://sd-154040@dedibackup-dc3.online.net/
# remove older than 6M
sudo FTP_PASSWORD=XXX PASSPHRASE=XXX duplicity remove-older-than 6M ftp://sd-154040@dedibackup-dc3.online.net/
# Healthcheck.io silent version (no stdout/stderr output unless curl hits an error):
curl -fsS -m 10 --retry 5 -o /dev/null https://hc-ping.com/986ba863-a707-4b0b-bb79-35a42e4b9f72