https://wiki.mozilla.org/Security/Server_Side_TLS // Mozilla has a new tool for generating secure SSL configurations for your web server
all is in title
h5ai makes browsing directories on HTTP web servers more pleasant. Directory listings get styled in a modern way and browsing through the directories is enhanced by different views, a breadcrumb and a tree overview. Initially h5ai was an acronym for HTML5 Apache Index but now it supports other web servers too.
Configuration de SSL/TLS pour chacun des services
Pour configurer SSL/TLS pour votre serveur, vous devez comprendre que le certificat est échangé avec d’autres machines, ces autres machines pouvant être d’autres serveurs de mail (pour SMTP avec TLS ou Jabber avec des connexions S2S chiffrées) ou des clients (de mail pop/imap ou https utilisant SSL/TLS). Lorsque le client se connecte à votre serveur, il utilise un nom d’hôte FQDN, et ce nom d’hôte DOIT correspondre au champ CN de votre certificat.
-Configuration des DNS, Reverse et MX
-SMTP/SMTPD de Postfix : Le champ MX doit correspondre au nom CN du certificat
-JABBER : Les champs A ou SRV doivent correspondre au nom CN du certificat
-APACHE : les Vhost HTTPS doivent correspondre au nom CN du certificat
-COURIER : IMAP et POP Configuration SSL/TLS
-CYRUS : IMAP et POP Configuration SSL/TLS
-PROFTPD, Configuration
Introduction
Sovereign is a set of Ansible playbooks that you can use to build and maintain your own personal cloud (I know I know). It’s based entirely on open source software, so you’re in control.
If you’ve never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
Background/Motivations
I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD $50 per user per year:
A seriously questionable privacy track record.
A dwindling commitment to open standards.
A lack of long-term commitment to products.
Development of Google+: a cynical and unimaginative Facebook ripoff that’s intruding into progressively more Google products.
To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it’s only gotten cheaper and easier to do so. Plus, none of the commercial alternatives I looked at provided all the services I was looking for.
Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it’s simple, straightforward, and easy to pick up.
I’ve been using this setup for about a month now and it’s been great. It’s also replaced a couple of non-Google services I used, saving me money and making me feel like I’ve got a little more privacy.
The backbone of this was inspired by this post by Drew Crawford. Unlike him, my goal is not “NSA-proofing” my email, just providing a reasonable alternative to Google Apps that isn’t wildly insecure. My view is that if the NSA or any other motivated party really wants to pwn me, they’re gonna, simple as that, no matter where I host my email.
Services Provided
What do you get if you point this thing at a VPS? All kinds of good stuff!
IMAP over SSL via Dovecot, complete with full text search provided by Solr.
SMTP over SSL via Postfix, including a nice set of DNSBLs to discard spam before it ever hits your filters.
Virtual domains for your email, backed by MySQL.
Secure on-disk storage for email and more via EncFS.
Spam fighting via DSPAM and Postgrey.
Mail server verification via OpenDKIM, so folks know you’re legit.
CalDAV and CardDAV to keep your calendars and contacts in sync, via ownCloud.
Your own private Dropbox, also via ownCloud.
Your own VPN server via OpenVPN.
An IRC bouncer via ZNC.
Monit to keep everything running smoothly (and alert you when it’s not).
Web hosting (ex: for your blog) via Apache.
Firewall management via ferm.
Intrusion prevention via fail2ban and rootkit detection via rkhunter.
Nightly backups to Tarsnap.
A bunch of nice-to-have tools like mosh and htop that make life with a server a little easier.
No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.
Don’t want one or more of the above services? Comment out the relevant role in site.yml. Or get more granular and comment out the associated include: directive in one of the playbooks.
In my earlier blog post, I gave an overview of Forward Secrecy, as well as some configuration tips. If you're new to the concept, I suggest that you go and read that post first. This time, I am following up with detailed configuration examples for Apache, Nginx, and OpenSSL.
.htaccess is a very ancient configuration file that controls the Web Server running your website, and is one of the most powerful configuration files you will ever come across. Htaccess has the ability to control access of the WWW's HyperText Transfer Protocol (HTTP) using Password Protection, 301 Redirects, rewrites, and much much more. This is because this configuration file was coded in the earliest days of the web (HTTP), for one of the first Web Servers ever! Eventually these Web Servers (configured with htaccess) became known as the World Wide Web, and eventually grew into the Internet we use today.
En tant qu’administrateur système, je gère de nombreux serveurs web, mail etc. Je dois les garder à jour aussi bien en terme de sécurité que sur les avancées technologiques.
Une des dernières tâches à laquelle je me suis attelé dans ce domaine est la configuration correcte de SSL/TLS sur chacun des services que j’héberge (pour ceux qui savent utiliser SSL/TLS)
J’ai donc créé des certificats pour chaque serveur ou service, et j’ai décidé de faire une petite documentation en français et en anglais expliquant comment cela fonctionne, à destination de mes amis et collègues geeks.
Il y a un certain nombre d’étapes à passer pour obtenir une configuration SSL/TLS correcte.
Dans cette documentation, je vous expliquerais comment configurer postfix, courier (pop et imap), ejabberd et apache en mode sécurisé SSL/TLS avec un certificat distribué par CACert.
La génération du certificat n’est pas abordée dans cette documentation. Pour cela, rendez-vous dans la page expliquant comment générer un certificat serveur avec CaCert.
Afin de sécuriser vos serveurs et services, en rendant difficile sinon impossible l’écoute des connexions, on préconise l’utilisation de SSL/TLS sur les protocoles sachant le faire. Pour cela, il faut disposer d’un certificat serveur, signature numérique certifiant que vous êtes propriétaire du domaine concerné.
apache ssl
Doc configuration : DNS FTP MAIL OPENBSD FREEBSD RSYNC SAMBA SQUID APACHE etc
Ce document est une traduction de « Guide to the Secure Configuration of Red Hat Entreprise Linux 5 » produit par la NSA (National Security Agency avec de légères modifications.