Hier mal die Puppet Config für meinen Webserver. Das ganze besteht aus mehreren Teilen, der Webserver allgemein:
class blue-web-srv::srv {
class { 'apache':
server_tokens => 'Prod',
server_signature => 'EMail',
trace_enable => 'off',
mpm_module => 'prefork'
}
apache::listen { '80': }
apache::listen { '443': }
class { 'apache::mod::ssl':
ssl_cipher => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
ssl_protocol => [ 'all', '-SSLv2', '-SSLv3', '-TLSv1', '-TLSv1.1' ],
ssl_compression => false,
ssl_honorcipherorder => true,
ssl_stapling => true,
}
class { 'apache::mod::rewrite': }
class { 'apache::mod::headers': }
class { 'apache::mod::php': }
}
dann der Config für den VHost:
class blue-web-srv::sebastianhaeutlede {
$domain = 'sebastian-haeutle.de'
$alias = ['www.haeutleit.de', 'haeutleit.de', 'www.sebastian-haeutle.de', 'www.sebastian-haeutle.com', 'sebastian-haeutle.com', 'www.sebastianhaeutle.de', 'sebastianhaeutle.de']
file { "/opt/myssl/${domain}":
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
file { "/opt/myssl/${domain}/request.cnf":
ensure => file,
content => template('blue-web-srv/request.cnf.erb'),
}
apache::vhost { "${domain}_non-ssl":
servername => $domain,
serveraliases => $alias,
serveradmin => 'root@haeutle-it.de',
port => '80',
ip_based => true,
docroot => "/var/httpd/${domain}",
docroot_owner => 'www-data',
docroot_group => 'www-data',
redirect_status => 'permanent',
rewrite_cond => '%{HTTPS} off',
rewrite_rule => '(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]',
}
apache::vhost { "${domain}_ssl":
servername => $domain,
serveraliases => $alias,
serveradmin => 'root@haeutle-it.de',
port => '443',
ip_based => true,
docroot => "/var/httpd/${domain}",
docroot_owner => 'www-data',
docroot_group => 'www-data',
ssl => true,
ssl_cert => '/opt/myssl/fullchain.pem',
ssl_key => '/opt/myssl/privkey.pem',
ssl_openssl_conf_cmd => 'DHParameters "/opt/myssl/dhparam.pem"',
ssl_stapling_timeout => '5',
ssl_stapling_return_errors => false,
directories => [
{ path => "/var/www/${domain}",
allow_override => ['all'],
},
],
headers => [
'always set Strict-Transport-Security: "max-age=31536001; includeSubDomains"',
'always set X-Content-Type-Options nosniff',
'edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure',
'set X-XSS-Protection "1; mode=block"',
'append X-Frame-Options "SAMEORIGIN"',
'set X-Content-Security-Policy "default-src https:"',
'set Public-Key-Pins "pin-sha256=\"XXXXX=\"; max-age=100800; includeSubDomains"'
],
}
}
und schließlich noch eine Datenbank für das mysql.
Dieses Setup reicht für ein A+ Rantig auf SSLlabs und immerhin ein B Ranting bei observatory.mozilla.org