summaryrefslogtreecommitdiffstats
path: root/src/civetweb/examples/https/civetweb.conf
diff options
context:
space:
mode:
Diffstat (limited to 'src/civetweb/examples/https/civetweb.conf')
-rw-r--r--src/civetweb/examples/https/civetweb.conf86
1 files changed, 86 insertions, 0 deletions
diff --git a/src/civetweb/examples/https/civetweb.conf b/src/civetweb/examples/https/civetweb.conf
new file mode 100644
index 00000000..cd10edda
--- /dev/null
+++ b/src/civetweb/examples/https/civetweb.conf
@@ -0,0 +1,86 @@
+# Instructions to run (on Linux) to reproduce test results:
+#
+# 1) copy civetweb executable here (examples/https directory)
+# 2) sudo ./civetweb
+#
+# Instructions to adapt to your own server:
+#
+# 1) generate your own server cert
+# 2) generate at least one backup server cert
+# in case you want a self signed cert, you can use the script
+# in resources/cert for both steps
+# 3) copy the content of the *.pin files into the Public-Key-Pins
+# header config (the base64 encoded certificate hash)
+# 4) set the document root, and all other required http server settings
+# 5) Run the tests from the three websites below. They will tell you
+# also what clients are compatible with your settings. The settings
+# here are very strict and lock out most older clients/browsers.
+# You will find some hints for fine tuning there as well.
+# 6) If you know all your clients, and give them client certificates in
+# advance, you can significantly improve security by setting
+# "ssl_verify_peer" to "yes" and specifying a client cert (directory)
+# using "ssl_ca_file/path". This will lock out all clients without a
+# proper certificate. Don't use it for your public home page, but
+# consider it for your private remote access server.
+# 7) run civetweb, like above - or better create your own start script
+# You are welcome to share your thoughts and experience on GitHub
+# (or Google groups) - see README.md in CivetWeb main directory
+
+# Don't run as super user, switch back to a regular user
+run_as_user user
+
+# The standard HTTP port 80 should redirect to the standard HTTPS port 443
+listening_ports 80r,443s
+
+# Don't forget to set the document root and domain
+#document_root tdb
+#authentication_domain mydomain.com
+
+# Set the a certificate
+ssl_certificate ../../resources/cert/server.pem
+
+# Require a client cert for your private server (see above)
+#ssl_verify_peer yes
+#ssl_ca_file ../../resources/cert/client.pem
+
+# Enforce TLS1.2 and some strong cipher(s)
+ssl_protocol_version 4
+ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS
+
+# Tell all browsers to access this site only as HTTPS for the next 180 days
+strict_transport_security_max_age 15552000
+
+# Set some HTTP security header, see https://securityheaders.io
+additional_header Content-Security-Policy: script-src 'self'
+additional_header X-Frame-Options: SAMEORIGIN
+additional_header X-Xss-Protection: 1; mode=block
+additional_header X-Content-Type-Options: nosniff
+additional_header Referrer-Policy: same-origin
+additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000
+#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report"
+
+
+# Ratings from 2017-09-03 (tests performed later may require more
+# strict security settings)
+#
+# Headers rated A+ from https://securityheaders.io/
+#
+# SSL rated B from https://www.htbridge.com/ssl when using a self signed
+# certificate, but no other weaknesses for modern browsers.
+# Site remarks some older TLS versions and some weaker ciphers are not
+# supported (but that's accessibility, not security).
+#
+# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self
+# signed certificate, generated with make_certs.sh in resources/cert/
+# and adding the server.pin and server_bkup.pin content into the
+# Public-Key-Pins header above.
+#
+# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert)
+# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/
+# (Note: this test is runs with reverse DNS name, while all others use the
+# IP address).
+#
+# Note: This settings are very strict and prevent some older but still common
+# versions of major browsers to access this site. The test web sites will give
+# you an overview. Test, before you use this settings.
+