translated by Google

Machine-translated page for increased accessibility for English questioners.

Webserver and SSL settings

University allows you to get free certificate from the TERENA certification authority . You can apply for it yourself, or if you would like help getting it, please contact unix@fi.muni.cz . Alternatively, you can also use a certification authority Let's Encrypt , either by yourself or you can take advantage of issuing LE certificates via unix @ fi .

In addition to HTTPS deployment itself, it is important to verify that the configuration is reasonably secure. The following tools can be used to test the configuration:

SSL parameters

The best way is to use the configuration generator that you can find at https://wiki.mozilla.org/Security/Server_Side_TLS . This tool will generate a configuration according to current cryptographic / security recommendations.

It is recommended to test the applied configuration via Qualys (see above). You should target Qualys Score A- or A. However, for scores starting with A , the risk that some older clients may not support sufficiently new and secure ciphers should be considered.

HTTP Strict Transport Security (HSTS)

Especially if you are creating a new site, we recommend that you set up HTTP redirect to HTTPS straight away and use the HTTP HSTS header to ensure that the browser always accesses the site over HTTPS for a certain period of time.

If Apache webserver is used, the configuration would be as follows:

<VirtualHost fqdn.fi.muni.cz:80>
    ...
    Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>

<VirtualHost fqdn.fi.muni.cz:443>
    ...
    # postupne zvysit az na max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>

The time the browser remembers the need to use HTTPS is determined by the parameter max-age . For existing sites, due to possible problems, it is a good idea to start with a low value and gradually increase it, such as hour (3600), day (86400), week (604800), month (2592000) and end in six months (15552000).

Other security headers

In addition to HSTS, other security headers can be set (for example Content-Security-Policy , X-Frame-Options , ...). Their list is longer and we will not describe them here.

However, you can use the tool to review and test your deployment Security Headers .