Webserver and HTTPS settings
You can obtain a free certificate for TLS in several ways:
- from CESNET via TCS (the issuance of which must be approved by the CVT manager),
- from Let's Encrypt with issuance and tracking via unix@fi,
- from Let's Encrypt (or other free CA) purely on its own.
If you would like help obtaining one, please contact
unixYVbbUdRmQ@fiVhCXV5NzG.muni=IA83socH.cz
.
In addition to implementing HTTPS itself, it is important to verify that the configuration is reasonably secure. For example,
Qualys (
https
only) or
testssl.sh (bash script over OpenSSL) can be used to test the configuration.
TLS parameters
We recommend using Mozilla's configuration generator, which takes into account current security recommendations.
We recommend to test the applied configuration, for example via Qualys (see above). You should aim for a Qualys Score of A- or A. However, for scores starting with A, consider the risk that some older clients may not support sufficiently new and secure ciphers.
HTTP Strict Transport Security - HSTS
First of all, if you're creating a new website, we recommend setting up HTTP redirection to HTTPS right away and using the HSTS HTTP header to ensure that the browser will (for a certain amount of time that it has to remember this) only ever access that site over HTTPS.
If using the Apache webserver, the configuration would be as follows:
<VirtualHost fqdn.fi.muni.cz:80>
...
Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>
<VirtualHost fqdn.fi.muni.cz:443>
...
# postupne zvysit az na max-age=15552000
Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>
The period of time that the browser remembers to use HTTPS is determined by the
max-age
parameter. For existing sites, it is a good idea to start with a low value and gradually increase it, for example, an hour (3600), a day (86400), a week (604800), a month (2592000), and ending at half a year (15552000) because of potential problems.
Other security headers
In addition to HSTS, other security headers can be set (for example
Content-Security-Policy
,
X-Frame-Options
, ...). Their list is longer and will not be described here.
However, you can use the Security Headers tool to review them and test your deployment.