Mailing List Archive

Apache 2.4, Http 2, mod_fcgi, Perl, Python, Asp and a tls cipher query
Hello,

I've got an Apache 2.4 server running Http 2. It's running PHP 7 fpm
with Event. Previously my configuration for getting Perl, Python, and
Asp scripts to work was:

# Support perl scripts
ScriptAlias "/perlweb/" "/usr/vhosts/domain.com/perlweb/"
<Directory "/usr/vhosts/domain.com/perlweb">
AddHandler perl-script .pl
AddHandler perl-script .cgi
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>

# Support python scripts
ScriptAlias "/python/" "/usr/vhosts/domain.com/python/"
<Directory "/usr/vhosts/domain.com/python">
Options +ExecCGI
SSLRequireSSL
AllowOverride None
AddHandler cgi-script .py
Require all granted
</Directory>

# Store all asp pages and applications
Alias "/asp" "/usr/vhosts/domain.com/asp"
<Directory "/usr/vhosts/domain.com/asp/">
Options None
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>

Given my mod_fastcgi setup is this still valid or should I be trying
to get the three languages going with fastcgi?

My second question is in regards my tls configuration. I'm looking for
only TLS 1.2 and 1.3 with strong protocols. Here is my current ssl
configuration, is this also valid?

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
### Turn on HTTP2 support #
Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpg after 32
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:prime256v1
SSLOpenSSLConfCmd ECDHParameters prime256v1
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLInsecureRenegotiation Off
SSLOpenSSLConfCmd Options -SessionTicket
SSLCipherSuite
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/usr/local/etc/apache24/dh.pem"
Header always set Strict-Transport-Security "max-age=15768000"
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Thanks.
Dave.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org