Webserver and HTTPS settings
You can obtain a free certificate for TLS in several ways:
- from CESNET via TCS (the issuance of which must be approved by the CVT manager),
- from Let's Encrypt with issuance and tracking from unix@fi (scripts and instructions),
- from Let's Encrypt (or another free CA) purely on its own.
If you would like help getting one, please contact
unixpv3af3GxR@fiG6EyrmgT_.muniQNy6vJmbW.cz
.
In addition to implementing HTTPS itself, it is important to verify that the configuration is reasonably secure. For example,
Qualys (
https
only) or
testssl.sh (bash script over OpenSSL) can be used to test the configuration.
TLS parameters
We recommend using Mozilla's configuration generator, which takes into account current security recommendations.
We recommend to test the applied configuration, for example via Qualys (see above). You should aim for a Qualys Score of A- or A. However, for scores starting with A, consider the risk that some older clients may not support sufficiently new and secure ciphers.
HTTP Strict Transport Security - HSTS
First of all, if you're creating a new website, we recommend setting up HTTP redirection to HTTPS right away and using the HSTS HTTP header to ensure that the browser will (for a certain amount of time that it has to remember this) only ever access that site over HTTPS.
If using the Apache webserver, the configuration would be as follows:
<VirtualHost fqdn.fi.muni.cz:80>
...
Redirect permanent / https://fqdn.fi.muni.cz/
</VirtualHost>
<VirtualHost fqdn.fi.muni.cz:443>
...
# set lower max-age and then, over time, increase it up to max-age=15552000
Header always set Strict-Transport-Security "max-age=3600;"
</VirtualHost>
The period of time that the browser remembers to use HTTPS is determined by the
max-age
parameter. For existing sites, it is a good idea to start with a low value and gradually increase it, e.g. hour (3600), day (86400), week (604800), month (2592000) and end at half a year (15552000), because of possible problems.
Other security headers
In addition to HSTS, other security headers can be set (for example
Content-Security-Policy
,
X-Frame-Options
, ...). Their list is longer and will not be described here.
However, you can use the Security Headers tool to review them and test your deployment.