HTTPS + Let's Encrypt
•
0 likes•1,826 views
Vortrag beim Drupal Meetup Frankfurt am 11. Februar 2016
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to HTTPS + Let's Encrypt
Similar to HTTPS + Let's Encrypt (20)
More from Walter Ebert
More from Walter Ebert (20)
Recently uploaded
Recently uploaded (20)
HTTPS + Let's Encrypt
- 2. Google I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.“ https://www.youtube.com/watch?v=cBhZ6S0PFCY
- 10. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 11. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 12. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 14. wQ
- 15. Q ) w
- 31. Content Security Policy (CSP) # Apache Header set Content-Security-Policy "default-src https:" # Nginx add_header Content-Security-Policy "default-src https:"; https://www.owasp.org/index.php/Content_Security_Policy https://scotthelme.co.uk/csp-cheat-sheet/
- 32. HTTP Strict Transport Security (HSTS) # Apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- 36. HSTS # Apache Header always set Strict-Transport-Security "max-age=31536000" # Nginx add_header Strict-Transport-Security "max-age=31536000"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Excessively_Strict_STS
- 38. Server Name Indication (SNI) Mehrere Domains unter einer IP-Adresse https://de.wikipedia.org/wiki/Server_Name_Indication
- 39. https://www.ssllabs.com/ssltest/analyze.html?d=walterebert.de&hideResults=on Android 2.3 Internet Explorer auf Windows XP
- 40. Webservices RSS-Reader Webcrawler Monitoring … PHP < 5.3.2 Python 2 Java 6 Nicht nur Browser https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniinga
- 41. Konfiguration How to Deploy HTTPS Correctly https://www.eff.org/https-everywhere/deploying-https SSL/TLS Deployment Best Practices https://www.ssllabs.com/projects/best-practices/ Richtig verschlüsseln mit SSL/TLS https://www.owasp.org/images/1/19/Richtig_verschluesseln_mit_SSL%2 BTLS_-_Achim_Hoffmann%2BTorsten_Gigler.pdf HTTP2-Implementationen https://github.com/http2/http2-spec/wiki/Implementations
- 45. diff --git a/.htaccess b/.htaccess index 974999a..f4024c6 100644 --- a/.htaccess +++ b/.htaccess @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. -<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> +<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(.(?!well-known).*| Entries.*|Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule> @@ -93,7 +93,7 @@ AddEncoding gzip svgz # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded. - RewriteRule "(^|/)." - [F] + RewriteRule "(^|/).(?!well-known)" - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred https://www.drupal.org/node/2408321
- 48. $ ls -l /etc/letsencrypt/ total 24 drwx------ 3 root root 4096 Jan 8 12:23 accounts drwx------ 5 root root 4096 Feb 4 15:14 archive drwxr-xr-x 2 root root 4096 Feb 4 14:36 csr drwx------ 2 root root 4096 Feb 4 14:36 keys drwx------ 6 root root 4096 Feb 4 15:14 live drwxr-xr-x 2 root root 4096 Feb 4 14:36 renewal $ sudo ls -l /etc/letsencrypt/live/walterebert.de total 0 lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert1.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 39 Feb 4 14:59 chain.pem -> ../../archive/walterebert.de/chain1.pem lrwxrwxrwx 1 root root 43 Feb 4 14:59 fullchain.pem -> ../../archive/walterebert.de/fullchain1.pem lrwxrwxrwx 1 root root 41 Feb 4 15:00 privkey.pem -> ../../archive/walterebert.de/privkey1.pem
- 51. Testen SSL Server Test (Qualys SSL Labs) https://www.ssllabs.com/ssltest/ SSLyze https://github.com/nabla-c0d3/sslyze O-Saft (OWASP) https://www.owasp.org/index.php/O-Saft