It seems like I've been undergoing a lot of security audits recently, and though they can sometimes feel like colonoscopy with people going through all my code and questioning everything, it's also a great opportunity to become a better developer. One of the easiest ways to increase security for your server is to optimize your SSL (Security Socket Layer). To give credit where credit is due, I took a lot of the suggestions from Laravel News, but this tutorial will be more generic in that you don't need to be using Laravel or Forge to optimize your SSL. I'll also try to be very specific in what exactly I did to optimize my own sites. This tutorial assumes you're using Ubuntu Server 14.04 LTS with Apache2.
Head over to Qualys SSL Labs Server Test. This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. This will give you a good indication of how your server has been doing so far.
Apache SSL Config
/etc/apache2/mods-available/ssl.conf and paste this just inside the closing
# Added by JJ to mitigate RC4 in TLS SSLProtocol all -SSLv3 -SSLv2 SSLCompression off SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
You should also make sure that there aren't any duplicate entries for each setting. For example, it's likely you'll already have the
SSLProtocol setting already set. Just comment out any of the settings that may already exist by putting a
# sign in front of it and let the settings you just pasted in be the official settings.
Individual Apache Conf Files
In each of your apache conf files (for example:
/etc/apache2/sites-available/bakerstreetsystems.com.conf), if they have SSL config (which most sites should have nowadays), put this in between the
<VirtualHost *:443> tag:
# Guarantee HTTPS for 2 Years including Sub Domains Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Once you've implemented these changes, you'll need to restart apache. From the command line, type:
sudo service apache2 restart
Test Your Settings
Of course, you should test your website to make sure it's still up and running by loading it up in your web browser. Then head back over to Qualys SSL Labs Server Test and run the SSL test again to see your score. If there is something else that needs to be fixed, it'll tell you. But these simple settings, along with a few others that were mentioned in my specific report from Qualys, changed my SSL grade from B- to an A+.