1# Instructions to run (on Linux) to reproduce test results:
2#
3# 1) copy civetweb executable here (examples/https directory)
4# 2) sudo ./civetweb
5#
6# Instructions to adapt to your own server:
7#
8# 1) generate your own server cert
9# 2) generate at least one backup server cert
10#    in case you want a self signed cert, you can use the script
11#    in resources/cert for both steps
12# 3) copy the content of the *.pin files into the Public-Key-Pins
13#    header config (the base64 encoded certificate hash)
14# 4) set the document root, and all other required http server settings
15# 5) Run the tests from the three websites below. They will tell you
16#    also what clients are compatible with your settings. The settings
17#    here are very strict and lock out most older clients/browsers.
18#    You will find some hints for fine tuning there as well.
19# 6) If you know all your clients, and give them client certificates in
20#    advance, you can significantly improve security by setting
21#    "ssl_verify_peer" to "yes" and specifying a client cert (directory)
22#    using "ssl_ca_file/path". This will lock out all clients without a
23#    proper certificate. Don't use it for your public home page, but
24#    consider it for your private remote access server.
25# 7) run civetweb, like above - or better create your own start script
26# You are welcome to share your thoughts and experience on GitHub
27# (or Google groups) - see README.md in CivetWeb main directory
28
29# Don't run as super user, switch back to a regular user
30run_as_user user
31
32# The standard HTTP port 80 should redirect to the standard HTTPS port 443
33listening_ports 80r,443s
34
35# Don't forget to set the document root and domain
36#document_root tdb
37#authentication_domain mydomain.com
38
39# Set the a certificate
40ssl_certificate ../../resources/cert/server.pem
41
42# Require a client cert for your private server (see above)
43#ssl_verify_peer yes
44#ssl_ca_file ../../resources/cert/client.pem
45
46# Enforce TLS1.2 and some strong cipher(s)
47ssl_protocol_version 4
48ssl_cipher_list ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS
49
50# Tell all browsers to access this site only as HTTPS for the next 180 days
51strict_transport_security_max_age 15552000
52
53# Set some HTTP security header, see https://securityheaders.io
54additional_header Content-Security-Policy: script-src 'self'
55additional_header X-Frame-Options: SAMEORIGIN
56additional_header X-Xss-Protection: 1; mode=block
57additional_header X-Content-Type-Options: nosniff
58additional_header Referrer-Policy: same-origin
59additional_header Public-Key-Pins: pin-sha256="uz1UTAPen+xb+UoQqkVlEx4H653LbMjfRJcZx5OrjbI="; pin-sha256="pf3px1MBPmlTGAPoiHWqaSJ9L9Z+DKfwgsU7LfLnmsk="; max-age=7776000
60#additional_header Expect-CT: max-age=86400,report-uri="https://mydomain.com/report"
61
62
63# Ratings from 2017-09-03 (tests performed later may require more
64# strict security settings)
65#
66# Headers rated A+ from https://securityheaders.io/
67#
68# SSL rated B from https://www.htbridge.com/ssl when using a self signed
69# certificate, but no other weaknesses for modern browsers.
70# Site remarks some older TLS versions and some weaker ciphers are not
71# supported (but that's accessibility, not security).
72#
73# HTTPS rated A+ from https://www.htbridge.com/websec/ when using a self
74# signed certificate, generated with make_certs.sh in resources/cert/
75# and adding the server.pin and server_bkup.pin content into the
76# Public-Key-Pins header above.
77#
78# A rating of "T / If trust issues are ignored: A" (ignoring self-signed cert)
79# from https://www.ssllabs.com/ssltest/, https://www.qualys.com/forms/freescan/
80# (Note: this test is runs with reverse DNS name, while all others use the
81# IP address).
82#
83# Note: This settings are very strict and prevent some older but still common
84# versions of major browsers to access this site. The test web sites will give
85# you an overview. Test, before you use this settings.
86
87