Webserver and TLS settings

Translated using

Machine-translated page for increased accessibility for English questioners.

Webserver and HTTPS settings

You can obtain a free certificate for TLS in several ways:

from CESNET via TCS (the issuance of which must be approved by the CVT manager),
from Let's Encrypt with issuance and tracking via unix@fi,
from Let's Encrypt (or other free CA) purely on its own.

If you would like help obtaining one, please contact unix=9grzrCoL@fiRmvWFO02o.muniozN2eMXPr.cz.

In addition to implementing HTTPS itself, it is important to verify that the configuration is reasonably secure. For example, Qualys ( https only) or testssl.sh (bash script over OpenSSL) can be used to test the configuration.

TLS parameters

We recommend using Mozilla's configuration generator, which takes into account current security recommendations.

We recommend to test the applied configuration, for example via Qualys (see above). You should aim for a Qualys Score of A- or A. However, for scores starting with A, consider the risk that some older clients may not support sufficiently new and secure ciphers.

HTTP Strict Transport Security - HSTS

First of all, if you're creating a new website, we recommend setting up HTTP redirection to HTTPS right away and using the HSTS HTTP header to ensure that the browser will (for a certain amount of time that it has to remember this) only ever access that site over HTTPS.

If using the Apache webserver, the configuration would be as follows:

<VirtualHost fqdn.fi.muni.cz:80>
    ...
    Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>

<VirtualHost fqdn.fi.muni.cz:443>
    ...
    # set lower max-age and then, over time, increase it up to max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>

The period of time that the browser remembers to use HTTPS is determined by the max-age parameter. For existing sites, it is a good idea to start with a low value and gradually increase it, e.g. hour (3600), day (86400), week (604800), month (2592000) and end at half a year (15552000), because of possible problems.

Other security headers

In addition to HSTS, other security headers can be set (for example Content-Security-Policy, X-Frame-Options, ...). Their list is longer and will not be described here.

However, you can use the Security Headers tool to review them and test your deployment.