Yojik.net/tutostretch/site/Sécurisation-Serveur-Web/index.html

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  
  
  <link rel="shortcut icon" href="../img/favicon.ico">
  <title>Sécurisation d'un serveur WEB - Les Tutoriels du Yojik</title>
  <link rel="stylesheet" href="../css/theme.css" />
  <link rel="stylesheet" href="../css/theme_extra.css" />
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css" />
  
  <script>
    // Current page data
    var mkdocs_page_name = "S\u00e9curisation d'un serveur WEB";
    var mkdocs_page_input_path = "S\u00e9curisation-Serveur-Web.md";
    var mkdocs_page_url = null;
  </script>
  
  <script src="../js/jquery-2.1.1.min.js" defer></script>
  <script src="../js/modernizr-2.8.3.min.js" defer></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js"></script>
  <script>hljs.initHighlightingOnLoad();</script> 
  
</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
    <div class="wy-side-scroll">
      <div class="wy-side-nav-search">
        <a href=".." class="icon icon-home"> Les Tutoriels du Yojik</a>
        <div role="search">
  <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" title="Type search term here" />
  </form>
</div>
      </div>

      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
                <p class="caption"><span class="caption-text">Installation d'un serveur sécurisé, version Debian/Stretch (obsolète)</span></p>
                <ul>
                    <li class="toctree-l1"><a class="reference internal" href="..">Présentation</a>
                    </li>
                </ul>
                <p class="caption"><span class="caption-text">Installation</span></p>
                <ul class="current">
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-de-base/">Installation du système de base</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../ovh/">Démarrage sur serveur OVH</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Premi%C3%A8re-Etape-S%C3%A9curisation/">Première étapes de sécurisation du serveur</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Configuration-R%C3%A9seau/">Configuration du réseau</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Serveur-Temps/">Installation d'un serveur de temps</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Parre-Feu/">Installation d'un pare-feu</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Fail2ban/">Contrer les attaques de brute-force avec fail2ban</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Serveur-Courrier-Basique/">Installation d'un serveur de courrier basique</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Serveur-DNS/">Installation du serveur DNS</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Serveur-Web/">Installation d'un serveur web</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Dovecot-Authentification/">Installation de dovecot et de l'authentification</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Certificats-Letsencrypt/">Installation des certificats letsencrypt</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Courrier-SPF-DKIM-OPENDMARC/">Ajout des enregistrements **spf**, **DKIM**, **DMARC** au fichier de zone DNS</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Courrier-Comptes-Virtuels/">Ajout des comptes émail virtuels</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Surveillance-Serveur/">Installation de programmes de surveillance du serveur</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../Installation-Webmail/">Installation d'un webmail (rainloop)</a>
                    </li>
                    <li class="toctree-l1 current"><a class="reference internal current" href="./">Sécurisation d'un serveur WEB</a>
    <ul class="current">
    <li class="toctree-l2"><a class="reference internal" href="#la-configuration-ssl">La configuration SSL</a>
    </li>
    <li class="toctree-l2"><a class="reference internal" href="#la-configuration-des-en-tetes">La configuration des en-têtes</a>
    </li>
    </ul>
                    </li>
                </ul>
      </div>
    </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="..">Les Tutoriels du Yojik</a>
      </nav>

      
      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="..">Docs</a> &raquo;</li>
    
      
        
          <li>Installation &raquo;</li>
        
      
    
    <li>Sécurisation d'un serveur WEB</li>
    <li class="wy-breadcrumbs-aside">
      
    </li>
  </ul>
  
  <hr/>
</div>
          <div role="main">
            <div class="section">
              
                <h1 id="securisation-des-pages-web">Sécurisation des pages web</h1>
<h2 id="la-configuration-ssl">La configuration SSL</h2>
<p>La page <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">Mozilla web server SSL config generator</a> permet de configurer mieux les pages servies par les serveurs web (apache pour moi), en donnant des règles concernant les certificats, les protocoles <strong>ssl.</strong></p>
<p>Voilà un exemple de configuration générée par le site Mozilla indiqué ci-dessus:</p>
<pre><code>&lt;VirtualHost *:443&gt;
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
&lt;/VirtualHost&gt;

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
</code></pre>
<p>Il précise les protocoles recommandés ainsi que les méthodes de chiffrage actuellement sûres.</p>
<h2 id="la-configuration-des-en-tetes">La configuration des en-têtes</h2>
<p>Les entêtes sont envoyés aux clients, et ils sont libres de les respecter ou non ...
On peut utiliser la page de test suivante pour configurer les entêtes renvoyés avec chaque page web: https://observatory.mozilla.org/analyze/www.yojik.net par exemple pour analyser le site www.yojik.net.</p>
<p>Voilà un exemple de résultats, avec certains entêtes configurés et d'autres non; la note globale n'est pas bonne, et il faudra améliorer la configuration.</p>
              
            </div>
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
      
        <a href="../Installation-Webmail/" class="btn btn-neutral" title="Installation d'un webmail (rainloop)"><span class="icon icon-circle-arrow-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <!-- Copyright etc -->
    
  </div>

  Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
      
        </div>
      </div>

    </section>

  </div>

  <div class="rst-versions" role="note" aria-label="versions">
    <span class="rst-current-version" data-toggle="rst-current-version">
      
      
        <span><a href="../Installation-Webmail/" style="color: #fcfcfc;">&laquo; Previous</a></span>
      
      
    </span>
</div>
    <script>var base_url = '..';</script>
    <script src="../js/theme.js" defer></script>
      <script src="../search/main.js" defer></script>
    <script defer>
        window.onload = function () {
            SphinxRtdTheme.Navigation.enable(true);
        };
    </script>

</body>
</html>