From: Sebastian Wagner Date: Wed, 18 Feb 2015 11:12:42 +0000 (+0100) Subject: Adding section for cherokee webserver X-Git-Url: https://git.bettercrypto.org/ach-master.git/commitdiff_plain/49f99b40c91f13f128fd119e48b5be55c5edf543?hp=37bdd3bb3a708d746f9ac3f2b1642b15a1dd2d6b;ds=sidebyside Adding section for cherokee webserver --- diff --git a/src/configuration/Webservers/Cherokee/cherokee.conf b/src/configuration/Webservers/Cherokee/cherokee.conf new file mode 100644 index 0000000..9fd94c4 --- /dev/null +++ b/src/configuration/Webservers/Cherokee/cherokee.conf @@ -0,0 +1,58 @@ +config!version = 001002104 +server!bind!1!port = 80 +server!bind!2!port = 443 +server!bind!2!tls = 1 +server!ipv6 = 1 +server!keepalive = 1 +server!keepalive_max_requests = 500 +server!panic_action = /usr/bin/cherokee-panic +server!pid_file = /var/run/cherokee.pid +server!server_tokens = full +server!timeout = 15 +server!tls = libssl +vserver!1!directory_index = index.html +vserver!1!document_root = /var/www +vserver!1!error_writer!filename = /var/log/cherokee.error +vserver!1!error_writer!type = file +vserver!1!hsts = 1 +vserver!1!hsts!max_age = 15768000 +vserver!1!hsts!subdomains = 1 +vserver!1!logger = combined +vserver!1!logger!access!buffsize = 16384 +vserver!1!logger!access!filename = /var/log/cherokee.access +vserver!1!logger!access!type = file +vserver!1!nick = default +vserver!1!rule!5!encoder!gzip = allow +vserver!1!rule!5!handler = redir +vserver!1!rule!5!handler!rewrite!10!regex = /(.*)$ +vserver!1!rule!5!handler!rewrite!10!show = 1 +vserver!1!rule!5!handler!rewrite!10!substring = https://${host}/$1 +vserver!1!rule!5!handler!type = just_about +vserver!1!rule!5!match = not +vserver!1!rule!5!match!right = tls +vserver!1!rule!5!match!right!directory = /about +vserver!1!rule!5!encoder!gzip = allow +vserver!1!rule!5!handler = server_info +vserver!1!rule!5!handler!type = just_about +vserver!1!rule!5!match = directory +vserver!1!rule!5!match!directory = /about +vserver!1!rule!4!document_root = /usr/lib/cgi-bin +vserver!1!rule!4!handler = cgi +vserver!1!rule!4!match = directory +vserver!1!rule!4!match!directory = /cgi-bin +vserver!1!rule!3!document_root = /usr/share/cherokee/themes +vserver!1!rule!3!handler = file +vserver!1!rule!3!match = directory +vserver!1!rule!3!match!directory = /cherokee_themes +vserver!1!rule!2!handler = file +vserver!1!rule!2!match = directory +vserver!1!rule!1!handler = common +vserver!1!rule!1!handler!iocache = 1 +vserver!1!rule!1!match = default +vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +vserver!1!ssl_cipher_server_preference = 1 +vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA +vserver!1!ssl_compression = 0 +vserver!1!ssl_dh_length = 2048 + diff --git a/src/practical_settings/webserver.tex b/src/practical_settings/webserver.tex index 6a3b8b8..1f6494f 100644 --- a/src/practical_settings/webserver.tex +++ b/src/practical_settings/webserver.tex @@ -130,6 +130,75 @@ See appendix \ref{cha:tools} %%---------------------------------------------------------------------- +\subsection{Cherokee} + +\subsubsection{Tested with Version} +\begin{itemize*} + \item Cherokee/1.2.104 on Debian Wheezy with OpenSSL 1.0.1e 11 Feb 2013 +\end{itemize*} + +\subsubsection{Settings} + +The configuration of the cherokee webserver is performed by an admin interface available via the web. It then writes the configuration to \texttt{/etc/cherokee/cherokee.conf}, the important lines of such a configuration file can be found at the end of this section. + +\begin{itemize*} + \item General Settings + \begin{itemize*} + \item Network + \begin{itemize*} + \item \emph{SSL/TLS back-end}: \emph{OpenSSL/libssl} + \end{itemize*} + \item Ports to listen + \begin{itemize*} + \item Port: 443, TLS: TLS/SSL port + \end{itemize*} + \end{itemize*} + \item Virtual Servers, For each vServer on tab \emph{Security}: + \begin{itemize*} + \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key} + \item Advanced Options + \begin{itemize*} + \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA} + \item \emph{Server Preference}: Prefer + \item \emph{Compression}: Disabled + \end{itemize*} + \end{itemize*} + \item Advanced: TLS + \begin{itemize*} + \item SSL version 2 and SSL version 3: No + \item TLS version 1, TLS version 1.1 and TLS version 1.2: Yes + \end{itemize*} +\end{itemize*} + +\subsubsection{Additional settings} +For each vServer on the Security tab it is possilbe to set the Diffie Hellman length to up to 4096 bits. We recommend to use \textgreater 1024 bits. +More information about Diffie-Hellman and which curves are recommended can be found in section \ref{section:DH}. + +In Advanced: TLS it is possible to set the path to a Diffie Hellman parameters file for 512, 1024, 2048 and 4096 bits. + +HSTS can be configured on host-basis in section \emph{vServers} / \emph{Security} / \emph{HTTP Strict Transport Security (HSTS)}: +\begin{itemize*} + \item \emph{Enable HSTS}: Accept + \item \emph{HSTS Max-Age}: 15768000 + \item \emph{Include Subdomains}: depends on your setup +\end{itemize*} + +To redirect HTTP to HTTPS, configure a new rule per Virtual Server in the \emph{Behavior} tab. The rule is \emph{SSL/TLS} combined with a \emph{NOT} operator. As \emph{Handler} define \emph{Redirection} and use \texttt{/(.*)\$} as \emph{Regular Expression} and \emph{https://\$\{host\}/\$1} as \emph{Substitution}. + +\configfile{cherokee.conf}{3-4,12-12,17-19,26-32,52-57}{SSL configuration for cherokee} + +\subsubsection{References} +\begin{itemize*} + \item Cookbook: SSL, TLS and certificates: \url{http://cherokee-project.com/doc/cookbook_ssl.html} + \item Cookbook: Redirecting all traffic from HTTP to HTTPS: \url{http://cherokee-project.com/doc/cookbook_http_to_https.html} +\end{itemize*} + + +\subsubsection{How to test} +See appendix \ref{cha:tools} + + +%%---------------------------------------------------------------------- \subsection{MS IIS} \label{sec:ms-iis}