Updated example Apache2 configuration files to enforce strong SSL configuration.

(Redmine issue: #3387)

conf/apache/site_mentat.conf.htpasswd.example

@@ -31,6 +31,13 @@
         ServerAdmin webmaster@mentat.organization.org
         ServerName mentat.organization.org
 
+        <IfModule mod_headers.c>
+                # Enforce HTTPS protocol at all times.
+                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+                # Deny access to content via HTML iframe.
+                Header always set X-Frame-Options DENY
+        </IfModule>
+
         DocumentRoot /var/www
 
         WSGIDaemonProcess hawat user=mentat group=mentat threads=5
@@ -85,6 +92,15 @@
         #SSLCertificateKeyFile   /etc/ssl/servercert/key.pem
         #SSLCertificateChainFile /etc/ssl/servercert/chain.pem
 
+        # Enforce only strong SSL protocols. Generator as of August 2016. This
+        # tool is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/
+        # Resource: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#onlystrong
+        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder on
+        SSLCompression      off
+        SSLSessionTickets   off
+
         <FilesMatch "\.(cgi|shtml|phtml|php)$">
                 SSLOptions +StdEnvVars
         </FilesMatch>

conf/apache/site_mentat.conf.shibboleth.example

@@ -24,6 +24,13 @@
         ServerAdmin webmaster@mentat.organization.org
         ServerName mentat.organization.org
 
+        <IfModule mod_headers.c>
+                # Enforce HTTPS protocol at all times.
+                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+                # Deny access to content via HTML iframe.
+                Header always set X-Frame-Options DENY
+        </IfModule>
+
         DocumentRoot /var/www
 
         WSGIDaemonProcess hawat user=mentat group=mentat threads=5
@@ -76,6 +83,15 @@
         #SSLCertificateKeyFile   /etc/ssl/servercert/key.pem
         #SSLCertificateChainFile /etc/ssl/servercert/chain.pem
 
+        # Enforce only strong SSL protocols. Generator as of August 2016. This
+        # tool is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/
+        # Resource: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#onlystrong
+        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder on
+        SSLCompression      off
+        SSLSessionTickets   off
+
         <FilesMatch "\.(cgi|shtml|phtml|php)$">
                 SSLOptions +StdEnvVars
         </FilesMatch>