Home / server / Questions / 407342
Accepted
Agvorth
Asked: 2012-07-13 19:09:54 +0800 CST

Please double check my SSL config. Is it OK?

  • 772

I'm new to SSL. I set it up on my CentOS 5 system running Apache 2.2.3-65. It appears to be working -- a can browse my site and the https protocol is displayed in the address bar.

Here's my SSL vhost config. Does it look OK? Did I make any major errors?

The intention is for all traffic for this particular site to be encrypted, so there's no vhost for port 80, just this one.

<VirtualHost *:443>
    ServerName www.mydomain.com
    ServerAlias mydomain.com
    DocumentRoot "/opt/deployed_rails_apps/my_app/current/public"

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/www.mydomain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/www.mydomain.com.pem
    SSLCACertificateFile /etc/pki/tls/certs/www.mydomain.com.ca-bundle

    ErrorLog "logs/mydomain.com-ssl-error_log"
    CustomLog "logs/mydomain.com-ssl-access_log" common
    CustomLog "logs/mydomain.com-ssl-deflate_log" deflate
    <Directory "/opt/deployed_rails_apps/rock_pebble/current/public">
        Options -MultiViews FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</Virtualhost>
apache-2.2 virtualhost ssl https

2 Answers

  1. Best Answer

    That will work, certainly. But here are a few more options that you should include for better security:

    SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLProtocol all -SSLv2
Header add Strict-Transport-Security "max-age=15768000"

    You should also check your server security against SSL Pulse and see their SSL Best Practices Guide. There's also an SSL Rating Guide which explains why these options are a good idea.

    • 4

  2. Looks fine, but remove the ServerAlias directive unless your cert will work on both "www.example.com" and "example.com".

    • 1