Webserver and SSL Setup
The university allows you to get a certificate from the TERENA certification authority free of charge. You can apply for it yourself or, should you need any help, write to
unixO7KbyrT=2@fijkjwBAs-J.muni=2OwUElU5.cz. Alternatively, you can also use the Let's Encrypt certification authority. Once again, you can contact the authority by yourself or you may use and have your LE certificate issued via unix@fi.
In addition to introducing HTTPS, please make sure the configuration is reasonably secure. To test your configuration, you may use the following tools:
The best way is to use the configuration generator available at https://wiki.mozilla.org/Security/Server_Side_TLS. This tool generates configurations based upon the latest cryptographic/security recommendations.
We recommend to test the used configuration using Qualys (see above). You should target Qualys Score A- or A. However, note that some older clients may not support secure enough ciphers when you are targeting score A.
HTTP Strict Transport Security – HSTS
If you are creating a new website, it is particularly important to redirect HTTP to HTTPS straightaway and use a HTTP header—HSTS—which ensures that browsers will access the web exclusively via HTTPS for some time.
If the Apache webserver is used, the configuration would look as follows:
<VirtualHost fqdn.fi.muni.cz:80> ... Redirect permanent / https://fqdn.fi.muni.cz/ </VirtualHost> <VirtualHost fqdn.fi.muni.cz:443> ... # gradually increase up to max-age=15552000 Header always set Strict-Transport-Security "max-age=3600;" </VirtualHost>
The time period for browsers to remember that HTTPS must be used is determined by
max-age. To avoid any potential issues, for existing websites it is recommended that you start with a low value which is gradually increased. For instance an hour (3600), a day (86400), a week (604800), a month (2592000), until you get to a period of half a year (15552000).
Other security headers
Besides HSTS you can set up other security HTTP headers (e.g.
There are considerable opportunities but we won't dig into the details here.
For an overview of them and of their deployment testing you can use a tool at Security Headers.