# redirect to https #Redirect / https://www.example.com/ # set high encryption # # check it with: nmap --script ssl-enum-ciphers -p 443 localhost # # or test beforehand with: openssl ciphers -v 'HIGH:!MEDIUM:!aNULL:!eNULL' # # CBC ciphers are obsolete (and implementation maybe incorrect), therefore # remove: # -ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384: # -DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256: # -DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256: # -ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256 SSLCipherSuite HIGH:!MEDIUM:!aNULL:!eNULL:!TLSv1:!SHA1:!RSA:!MD5:!RC4:-ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384:-DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256:-DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256 SSLProtocol all -TLSv1 -TLSv1.1 # SSLCompression on ServerAdmin webmaster@localhost #ServerName www.example.com DocumentRoot /var/www/gitolite Options None AllowOverride none Order allow,deny Allow from all SuexecUserGroup git git ScriptAlias /www/ /var/www/bin/gitolite_web_interface.py AuthType Basic AuthName "gitolite access is required" Require valid-user AuthUserFile /etc/apache2/gitolite.passwd SuexecUserGroup git git ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/ AuthType Basic AuthName "gitolite access is required" Require valid-user AuthUserFile /etc/apache2/gitolite.passwd DAVLockDB /var/www/DAVLock Order Allow,Deny Allow from all Dav On AuthType Basic AuthName "gitolite access is required" AuthUserFile /etc/apache2/gitolite.passwd Options +Indexes Require valid-user AllowOverride AuthConfig Require all denied Options +Indexes # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/gitolite.crt SSLCertificateKeyFile /etc/ssl/private/gitolite.key