Web server

4min

this article presents examples of apache2 and nginx web server configuration settings as the most commonly used settings for passwork installations apache2 apache2 virtual host configuration file \<virtualhost 443> servername example com sslengine on sslcertificatefile /etc/ssl/passwork/fullchain pem sslcertificatekeyfile /etc/ssl/passwork/privkey pem sslcertificatechainfile /etc/ssl/passwork/chain pem sslciphersuite "ecdhe ecdsa aes256 gcm sha384\ ecdhe rsa aes256 gcm sha384 ecdhe ecdsa chacha20 poly1305\ ecdhe rsa chacha20 poly1305 ecdhe ecdsa aes128 gcm sha256\ ecdhe rsa aes128 gcm sha256" sslprotocol all sslv2 sslv3 tlsv1 tlsv1 1 sslhonorcipherorder on documentroot /var/www/public \<directory /var/www/public> options indexes +followsymlinks allowoverride all require all granted \</directory> \<filesmatch \\ php$> \# deb \#sethandler "proxy\ unix /run/php/php8 3 fpm sock|fcgi //localhost/" \# rpm \#sethandler "proxy\ unix /run/php fpm/www sock|fcgi //localhost/" \</filesmatch> \</virtualhost> part of apache2 ssl mod configuration file sslusestapling on sslstaplingrespondertimeout 5 sslstaplingreturnrespondererrors off sslstaplingcache shmcb /var/run/apache2/stapling cache(128000) sslciphersuite — allows only secure and up to date cipher suites sslprotocol all sslv2 sslv3 tlsv1 tlsv1 1 — allows only secure tls versions (1 2 and 1 3) and disables outdated/vulnerable ones (sslv2, sslv3, tls 1 0/1 1) sslhonorcipherorder on — enforces server cipher suite priority over the client's to enhance connection security sslsessioncache shmcb /var/run/apache2/ssl scache(512000) — enables tls session caching with shmcb (shared memory cache), which speeds up reconnections and reduces server load cache size 512 kb sslsessioncachetimeout 300 — sets the tls session cache lifetime (in seconds) ssl stapling (ocsp stapling) — the mechanism in which the server retrieves the tls certificate status from the certificate authority (ca) and includes it in the tls session this improves connection speed, reduces load on the ca, and enhances client privacy ocsp stapling should only be enabled if your passwork instance can access public dns servers sslusestapling on — enables ocsp stapling server itself provides current certificate status, speeding up verification and improving client privacy sslstaplingrespondertimeout 5 — sets the maximum time to wait for a dns response if no response is received within 5 seconds, the request fails sslstaplingreturnrespondererrors off — allows connection even if the ocsp server doesn't respond, improving resilience in unstable networks sslstaplingcache shmcb /var/run/apache2/stapling cache(128000) — ocsp response cache in shared memory ( 128 kb), reducing the frequency of requests to the certificate authority (ca) sslsessiontickets off — by default, session tickets are enabled, as they help speed up tls connection establishment by reusing parameters from previous sessions and reducing server load disabling this will affect only tls 1 2 connections tls 1 3 session tickets are managed by openssl and cannot be disabled via apache nginx part of nginx configuration file listen 443 ssl default server; 	 ssl certificate /server/ssl/fullchain pem; 	 ssl certificate key /server/ssl/privkey pem; 	 ssl protocols tlsv1 2 tlsv1 3; 	 ssl ciphers 'ecdhe ecdsa aes256 gcm sha384\ ecdhe rsa aes256 gcm sha384 ecdhe ecdsa chacha20 poly1305\ ecdhe rsa chacha20 poly1305 ecdhe ecdsa aes128 gcm sha256\ ecdhe rsa aes128 gcm sha256'; 	 ssl prefer server ciphers on; 	 ssl session cache shared\ ssl 50m; 	 ssl session timeout 1d; 	 ssl stapling on; ssl stapling verify on; resolver 77 88 8 8 185 222 222 222 valid=300s; resolver timeout 5s; ssl protocols tlsv1 2 tlsv1 3; — restricts allowed tls versions to secure ones only, disabling legacy and vulnerable protocols like tls 1 0/1 1 ssl ciphers — allows only secure and up to date cipher suites ssl prefer server ciphers on; — enforces server cipher suite priority over the client's to enhance connection security ssl session cache shared\ ssl 50m; — enables tls session caching between connections (up to 50 mb), speeding up reconnections and reducing load ssl session timeout 1d; — sets ttl for cached sessions the client can reuse a tls session for up to 24 hours if the cache is not cleared ssl stapling (ocsp stapling) — the mechanism in which the server retrieves the tls certificate status from the certificate authority (ca) and includes it in the tls session this improves connection speed, reduces load on the ca, and enhances client privacy ocsp stapling should only be enabled if your passwork instance can access public dns servers ssl stapling on; — enables ocsp stapling server itself provides current certificate status, speeding up verification and improving client privacy ssl stapling verify on; — forces the server to verify the ocsp response against the ca certificate to prevent passing an invalid or forged status resolver 1 1 1 1 8 8 8 8 valid=300s; — specifies dns servers for resolving domain names (e g for ocsp checks); responses are cached for 5 minutes example uses cloudflare (1 1 1 1) and google dns (8 8 8 8) resolver timeout 5s; — sets the maximum time to wait for a dns response if no response is received within 5 seconds, the request fails ssl session tickets off; — disables tls session tickets by default, session tickets are enabled, as they help speed up tls connection establishment by reusing parameters from previous sessions and reducing server load however, should only be disabled when all of the following are truet your passwork runs on multiple servers; a single wildcard certificate is used across all instances; servers are distributed across different data centers, and there is no centralized tls session key management