Adding section for cherokee webserver
authorSebastian Wagner <sebix@sebix.at>
Wed, 18 Feb 2015 11:12:42 +0000 (12:12 +0100)
committerSebastian Wagner <sebix@sebix.at>
Wed, 18 Feb 2015 11:16:13 +0000 (12:16 +0100)
src/configuration/Webservers/Cherokee/cherokee.conf [new file with mode: 0644]
src/practical_settings/webserver.tex

diff --git a/src/configuration/Webservers/Cherokee/cherokee.conf b/src/configuration/Webservers/Cherokee/cherokee.conf
new file mode 100644 (file)
index 0000000..9fd94c4
--- /dev/null
@@ -0,0 +1,58 @@
+config!version = 001002104
+server!bind!1!port = 80
+server!bind!2!port = 443
+server!bind!2!tls = 1
+server!ipv6 = 1
+server!keepalive = 1
+server!keepalive_max_requests = 500
+server!panic_action = /usr/bin/cherokee-panic
+server!pid_file = /var/run/cherokee.pid
+server!server_tokens = full
+server!timeout = 15
+server!tls = libssl
+vserver!1!directory_index = index.html
+vserver!1!document_root = /var/www
+vserver!1!error_writer!filename = /var/log/cherokee.error
+vserver!1!error_writer!type = file
+vserver!1!hsts = 1
+vserver!1!hsts!max_age = 15768000
+vserver!1!hsts!subdomains = 1
+vserver!1!logger = combined
+vserver!1!logger!access!buffsize = 16384
+vserver!1!logger!access!filename = /var/log/cherokee.access
+vserver!1!logger!access!type = file
+vserver!1!nick = default
+vserver!1!rule!5!encoder!gzip = allow
+vserver!1!rule!5!handler = redir
+vserver!1!rule!5!handler!rewrite!10!regex = /(.*)$
+vserver!1!rule!5!handler!rewrite!10!show = 1
+vserver!1!rule!5!handler!rewrite!10!substring = https://${host}/$1
+vserver!1!rule!5!handler!type = just_about
+vserver!1!rule!5!match = not
+vserver!1!rule!5!match!right = tls
+vserver!1!rule!5!match!right!directory = /about
+vserver!1!rule!5!encoder!gzip = allow
+vserver!1!rule!5!handler = server_info
+vserver!1!rule!5!handler!type = just_about
+vserver!1!rule!5!match = directory
+vserver!1!rule!5!match!directory = /about
+vserver!1!rule!4!document_root = /usr/lib/cgi-bin
+vserver!1!rule!4!handler = cgi
+vserver!1!rule!4!match = directory
+vserver!1!rule!4!match!directory = /cgi-bin
+vserver!1!rule!3!document_root = /usr/share/cherokee/themes
+vserver!1!rule!3!handler = file
+vserver!1!rule!3!match = directory
+vserver!1!rule!3!match!directory = /cherokee_themes
+vserver!1!rule!2!handler = file
+vserver!1!rule!2!match = directory
+vserver!1!rule!1!handler = common
+vserver!1!rule!1!handler!iocache = 1
+vserver!1!rule!1!match = default
+vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+vserver!1!ssl_cipher_server_preference = 1
+vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+vserver!1!ssl_compression = 0
+vserver!1!ssl_dh_length = 2048
+
index 6a3b8b8..1f6494f 100644 (file)
@@ -130,6 +130,75 @@ See appendix \ref{cha:tools}
 
 
 %%---------------------------------------------------------------------- 
+\subsection{Cherokee}
+
+\subsubsection{Tested with Version}
+\begin{itemize*}
+    \item Cherokee/1.2.104 on Debian Wheezy with OpenSSL 1.0.1e 11 Feb 2013
+\end{itemize*}
+
+\subsubsection{Settings}
+
+The configuration of the cherokee webserver is performed by an admin interface available via the web. It then writes the configuration to \texttt{/etc/cherokee/cherokee.conf}, the important lines of such a configuration file can be found at the end of this section.
+
+\begin{itemize*}
+    \item General Settings
+    \begin{itemize*}
+        \item Network
+        \begin{itemize*}
+            \item \emph{SSL/TLS back-end}: \emph{OpenSSL/libssl}
+        \end{itemize*}
+        \item Ports to listen
+        \begin{itemize*}
+            \item Port: 443, TLS: TLS/SSL port
+        \end{itemize*}
+    \end{itemize*}
+    \item Virtual Servers, For each vServer on tab \emph{Security}:
+    \begin{itemize*}
+        \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key}
+        \item Advanced Options
+        \begin{itemize*}
+            \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA}
+            \item \emph{Server Preference}: Prefer
+            \item \emph{Compression}: Disabled
+        \end{itemize*}
+    \end{itemize*}
+    \item Advanced: TLS
+    \begin{itemize*}
+        \item SSL version 2 and SSL version 3: No
+        \item TLS version 1, TLS version 1.1 and TLS version 1.2: Yes
+    \end{itemize*}
+\end{itemize*}
+
+\subsubsection{Additional settings}
+For each vServer on the Security tab it is possilbe to set the Diffie Hellman length to up to 4096 bits. We recommend to use \textgreater 1024 bits.
+More information about Diffie-Hellman and which curves are recommended can be found in section \ref{section:DH}.
+
+In Advanced: TLS it is possible to set the path to a Diffie Hellman parameters file for 512, 1024, 2048 and 4096 bits.
+
+HSTS can be configured on host-basis in section \emph{vServers} / \emph{Security} / \emph{HTTP Strict Transport Security (HSTS)}:
+\begin{itemize*}
+    \item \emph{Enable HSTS}: Accept
+    \item \emph{HSTS Max-Age}: 15768000
+    \item \emph{Include Subdomains}: depends on your setup
+\end{itemize*}
+
+To redirect HTTP to HTTPS, configure a new rule per Virtual Server in the \emph{Behavior} tab. The rule is \emph{SSL/TLS} combined with a \emph{NOT} operator. As \emph{Handler} define \emph{Redirection} and use \texttt{/(.*)\$} as \emph{Regular Expression} and \emph{https://\$\{host\}/\$1} as \emph{Substitution}.
+
+\configfile{cherokee.conf}{3-4,12-12,17-19,26-32,52-57}{SSL configuration for cherokee}
+
+\subsubsection{References}
+\begin{itemize*}
+  \item Cookbook: SSL, TLS and certificates: \url{http://cherokee-project.com/doc/cookbook_ssl.html}
+  \item Cookbook: Redirecting all traffic from HTTP to HTTPS: \url{http://cherokee-project.com/doc/cookbook_http_to_https.html}
+\end{itemize*}
+
+
+\subsubsection{How to test}
+See appendix \ref{cha:tools}
+
+
+%%----------------------------------------------------------------------
 \subsection{MS IIS}
 \label{sec:ms-iis}