diff options
Diffstat (limited to 'src/civetweb/examples/https')
| -rw-r--r-- | src/civetweb/examples/https/README.md | 15 | ||||
| -rw-r--r-- | src/civetweb/examples/https/civetweb.conf | 86 |
2 files changed, 101 insertions, 0 deletions
diff --git a/src/civetweb/examples/https/README.md b/src/civetweb/examples/https/README.md new file mode 100644 index 000000000..7b18b4724 --- /dev/null +++ b/src/civetweb/examples/https/README.md @@ -0,0 +1,15 @@ +HTTPS Server configuration example +==== + +This directory contains an example [`civetweb.conf`](civetweb.conf) configuration file for a secure HTTPS server. You can run a HTTPS server without most of the options there - only `ssl_certificate` and one port (e.g., `443s`) in `listening_ports` is required. The default settings will work, but not comply with up to date security standards. It is somewhat debatable what "up to date security" means - you can use the following web sites to run tests: + +- https://securityheaders.io +- https://www.htbridge.com/ssl +- https://www.htbridge.com/websec +- https://www.ssllabs.com/ssltest/analyze.html / https://www.qualys.com/forms/freescan/ +- probably there are some more ... let me know! + +Instructions to run the test and to adapt the configuration can be found [`civetweb.conf`](civetweb.conf). You can test this configuration directly with the standalone server, or you can take the settings and add it into your embedding code. + +Note: I do not take any warranty or liability for this configuration, or for the content of any linked web site. + diff --git a/src/civetweb/examples/https/civetweb.conf b/src/civetweb/examples/https/civetweb.conf new file mode 100644 index 000000000..cd10eddab --- /dev/null +++ b/src/civetweb/examples/https/civetweb.conf @@ -0,0 +1,86 @@ +# Instructions to run (on Linux) to reproduce test results: +# +# 1) copy civetweb executable here (examples/https directory) +# 2) sudo ./civetweb +# +# Instructions to adapt to your own server: +# +# 1) generate your own server cert +# 2) generate at least one backup server cert +# in case you want a self signed cert, you can use the script +# in resources/cert for both steps +# 3) copy the content of the *.pin files into the Public-Key-Pins +# header config (the base64 encoded certificate hash) +# 4) set the document root, and all other required http server settings +# 5) Run the tests from the three websites below. They will tell you +# also what clients are compatible with your settings. The settings +# here are very strict and lock out most older clients/browsers. +# You will find some hints for fine tuning there as well. +# 6) If you know all your clients, and give them client certificates in +# advance, you can significantly improve security by setting +# "ssl_verify_peer" to "yes" and specifying a client cert (directory) +# using "ssl_ca_file/path". This will lock out all clients without a +# proper certificate. Don't use it for your public home page, but +# consider it for your private remote access server. +# 7) run civetweb, like above - or better create your own start script +# You are welcome to share your thoughts and experience on GitHub +# (or Google groups) - see README.md in CivetWeb main directory + +# Don't run as super user, switch back to a regular user +run_as_user user + +# The standard HTTP port 80 should redirect to the standard HTTPS port 443 +listening_ports 80r,443s + +# Don't forget to set the document root and domain +#document_root tdb +#authentication_domain mydomain.com + +# Set the a certificate +ssl_certificate ../../resources/cert/server.pem + +# Require a client cert for your private server (see above) +#ssl_verify_peer yes +#ssl_ca_file ../../resources/cert/client.pem + +# Enforce TLS1.2 and some strong cipher(s) +ssl_protocol_version 4 +ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS + +# Tell all browsers to access this site only as HTTPS for the next 180 days +strict_transport_security_max_age 15552000 + +# Set some HTTP security header, see https://securityheaders.io +additional_header Content-Security-Policy: script-src 'self' +additional_header X-Frame-Options: SAMEORIGIN +additional_header X-Xss-Protection: 1; mode=block +additional_header X-Content-Type-Options: nosniff +additional_header Referrer-Policy: same-origin +additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000 +#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report" + + +# Ratings from 2017-09-03 (tests performed later may require more +# strict security settings) +# +# Headers rated A+ from https://securityheaders.io/ +# +# SSL rated B from https://www.htbridge.com/ssl when using a self signed +# certificate, but no other weaknesses for modern browsers. +# Site remarks some older TLS versions and some weaker ciphers are not +# supported (but that's accessibility, not security). +# +# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self +# signed certificate, generated with make_certs.sh in resources/cert/ +# and adding the server.pin and server_bkup.pin content into the +# Public-Key-Pins header above. +# +# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert) +# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/ +# (Note: this test is runs with reverse DNS name, while all others use the +# IP address). +# +# Note: This settings are very strict and prevent some older but still common +# versions of major browsers to access this site. The test web sites will give +# you an overview. Test, before you use this settings. + |