# Instructions to run (on Linux) to reproduce test results: # # 1) copy civetweb executable here (examples/https directory) # 2) sudo ./civetweb # # Instructions to adapt to your own server: # # 1) generate your own server cert # 2) generate at least one backup server cert # in case you want a self signed cert, you can use the script # in resources/cert for both steps # 3) copy the content of the *.pin files into the Public-Key-Pins # header config (the base64 encoded certificate hash) # 4) set the document root, and all other required http server settings # 5) Run the tests from the three websites below. They will tell you # also what clients are compatible with your settings. The settings # here are very strict and lock out most older clients/browsers. # You will find some hints for fine tuning there as well. # 6) If you know all your clients, and give them client certificates in # advance, you can significantly improve security by setting # "ssl_verify_peer" to "yes" and specifying a client cert (directory) # using "ssl_ca_file/path". This will lock out all clients without a # proper certificate. Don't use it for your public home page, but # consider it for your private remote access server. # 7) run civetweb, like above - or better create your own start script # You are welcome to share your thoughts and experience on GitHub # (or Google groups) - see README.md in CivetWeb main directory # Don't run as super user, switch back to a regular user run_as_user user # The standard HTTP port 80 should redirect to the standard HTTPS port 443 listening_ports 80r,443s # Don't forget to set the document root and domain #document_root tdb #authentication_domain mydomain.com # Set the a certificate ssl_certificate ../../resources/cert/server.pem # Require a client cert for your private server (see above) #ssl_verify_peer yes #ssl_ca_file ../../resources/cert/client.pem # Enforce TLS1.2 and some strong cipher(s) ssl_protocol_version 4 ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS # Tell all browsers to access this site only as HTTPS for the next 180 days strict_transport_security_max_age 15552000 # Set some HTTP security header, see https://securityheaders.io additional_header Content-Security-Policy: script-src 'self' additional_header X-Frame-Options: SAMEORIGIN additional_header X-Xss-Protection: 1; mode=block additional_header X-Content-Type-Options: nosniff additional_header Referrer-Policy: same-origin additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000 #additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report" # Ratings from 2017-09-03 (tests performed later may require more # strict security settings) # # Headers rated A+ from https://securityheaders.io/ # # SSL rated B from https://www.htbridge.com/ssl when using a self signed # certificate, but no other weaknesses for modern browsers. # Site remarks some older TLS versions and some weaker ciphers are not # supported (but that's accessibility, not security). # # HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self # signed certificate, generated with make_certs.sh in resources/cert/ # and adding the server.pin and server_bkup.pin content into the # Public-Key-Pins header above. # # A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert) # from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/ # (Note: this test is runs with reverse DNS name, while all others use the # IP address). # # Note: This settings are very strict and prevent some older but still common # versions of major browsers to access this site. The test web sites will give # you an overview. Test, before you use this settings.