| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281 |
- <!DOCTYPE html>
- <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
- <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
- <head>
- <meta charset="utf-8">
- <meta http-equiv="X-UA-Compatible" content="IE=edge">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
-
-
-
- <link rel="shortcut icon" href="../../../img/favicon.ico">
- <title>Sécurisation des pages web - Les Tutoriels du Yojik</title>
- <link rel="stylesheet" href="../../../css/theme.css" />
- <link rel="stylesheet" href="../../../css/theme_extra.css" />
- <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css" />
-
- <script>
- // Current page data
- var mkdocs_page_name = "S\u00e9curisation des pages web";
- var mkdocs_page_input_path = "Tutoriels/tutostretch/S\u00e9curisation-Serveur-Web.md";
- var mkdocs_page_url = null;
- </script>
-
- <script src="../../../js/jquery-2.1.1.min.js" defer></script>
- <script src="../../../js/modernizr-2.8.3.min.js" defer></script>
- <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js"></script>
- <script>hljs.initHighlightingOnLoad();</script>
-
- </head>
- <body class="wy-body-for-nav" role="document">
- <div class="wy-grid-for-nav">
-
- <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
- <div class="wy-side-scroll">
- <div class="wy-side-nav-search">
- <a href="../../.." class="icon icon-home"> Les Tutoriels du Yojik</a>
- <div role="search">
- <form id ="rtd-search-form" class="wy-form" action="../../../search.html" method="get">
- <input type="text" name="q" placeholder="Search docs" title="Type search term here" />
- </form>
- </div>
- </div>
- <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
- <p class="caption"><span class="caption-text">Home</span></p>
- <ul>
- <li class="toctree-l1"><a class="reference internal" href="../../..">Page d'accueil</a>
- </li>
- </ul>
- <p class="caption"><span class="caption-text">Tutoriels</span></p>
- <ul>
- <li class="toctree-l1"><a class="reference internal" href="../../tutos/">Introduction</a>
- </li>
- <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Stretch (obsolète)</a>
- <ul>
- <li class="toctree-l2"><a class="reference internal" href="../tutostretch/">Présentation</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="#">Installation</a>
- <ul>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-de-base/">Installation du système de base</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../ovh/">Démarrage sur serveur OVH</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Premi%C3%A8re-Etape-S%C3%A9curisation/">Première étapes de sécurisation du serveur</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Configuration-R%C3%A9seau/">Configuration du réseau</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Temps/">Installation d'un serveur de temps</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Parre-Feu/">Installation d'un pare-feu</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Fail2ban/">Contrer les attaques de brute-force avec fail2ban</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Courrier-Basique/">Installation d'un serveur de courrier basique</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-DNS/">Installation du serveur DNS</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Serveur-Web/">Installation d'un serveur web</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Dovecot-Authentification/">Installation de dovecot et de l'authentification</a>
- </li>
- <li class="toctree-l3"><a class="" href="../Installation-Certificats-Letsencrypt.md)">Installation des certificats letsencrypt</a>
- </li>
- <li class="toctree-l3"><a class="" href="../courrier-SPF-DKIM-OPENDMARC.md">Ajout des enregistrements **spf**, **DKIM**, **DMARC** au fichier de zone DNS</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Courrier-Comptes-Virtuels/">Ajout des comptes émail virtuels</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Surveillance-Serveur/">Installation de programmes de surveillance du serveur</a>
- </li>
- <li class="toctree-l3"><a class="reference internal" href="../Installation-Webmail/">Installation d'un webmail (rainloop)</a>
- </li>
- <li class="toctree-l3"><a class="" href="../Sécurisation-Serveur-Web">Sécurisation d'un serveur WEB</a>
- </li>
- </ul>
- </li>
- </ul>
- </li>
- <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Buster (en cours d'écriture)</a>
- <ul>
- <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/1-tutobuster/">Présentation</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/2-Installation-de-base/">Installation de base</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/3-ovh/">Démarrage sur serveur OVH</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/4-Plan/">Plan d'ensemble</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutobuster/5-Premi%C3%A8re-Etape-S%C3%A9curisation/">Premières étapes de sécurisation du serveur</a>
- </li>
- </ul>
- </li>
- <li class="toctree-l1"><a class="reference internal" href="#">Installation d'un serveur sécurisé, version Debian/Buster sur RaspberryPI</a>
- <ul>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/R%C3%A9sum%C3%A9/">Résumé</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/tutoraspi/">Présentation</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Installation-de-base/">Installation de base</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Premier-d%C3%A9marrage/">Premier démarrage</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Etat-des-lieux/">État des lieux</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/S%C3%A9curisation-SSH/">Sécurisation SSH</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/R%C3%A9seau/">Réseau (des IPs fixes)</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Knot/">Installation de Knot-resolver</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Firewall/">Installation d'un pare-feux</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Fail2ban/">Contrer les attaques de force brute</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Logwatch/">Surveillance du serveur</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Installation-courrier-basique/">Installation d'un serveur de courriers basique</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Exemple-d-utilisation-serveur-Web/">Exemple d'utilisation avec un serveur Web</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoraspi/Annexe/">Annexe</a>
- </li>
- </ul>
- </li>
- <li class="toctree-l1"><a class="reference internal" href="#">Domotique</a>
- <ul>
- <li class="toctree-l2"><a class="reference internal" href="../../Domotique/Introduction/">Introduction</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../Domotique/Le-mat%C3%A9riel/">Le matériel</a>
- </li>
- </ul>
- </li>
- <li class="toctree-l1"><a class="reference internal" href="#">Tutoriel Anki</a>
- <ul>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Introduction/">Introduction</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Installation/">Installation</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Les-fiches/">Les fiches</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Premi%C3%A8re-utilisation/">Premières utilisations et impressions</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Personnalisation/">Personnalisation</a>
- </li>
- <li class="toctree-l2"><a class="reference internal" href="../../tutoanki/Cartes/">Les cartes</a>
- </li>
- </ul>
- </li>
- </ul>
- </div>
- </div>
- </nav>
- <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
-
- <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
- <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
- <a href="../../..">Les Tutoriels du Yojik</a>
- </nav>
-
- <div class="wy-nav-content">
- <div class="rst-content">
- <div role="navigation" aria-label="breadcrumbs navigation">
- <ul class="wy-breadcrumbs">
- <li><a href="../../..">Docs</a> »</li>
-
-
-
- <li>Sécurisation des pages web</li>
- <li class="wy-breadcrumbs-aside">
-
- </li>
- </ul>
-
- <hr/>
- </div>
- <div role="main">
- <div class="section">
-
- <h1 id="securisation-des-pages-web">Sécurisation des pages web</h1>
- <h2 id="la-configuration-ssl">La configuration SSL</h2>
- <p>La page <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">Mozilla web server SSL config generator</a> permet de configurer mieux les pages servies par les serveurs web (apache pour moi), en donnant des règles concernant les certificats, les protocoles <strong>ssl.</strong></p>
- <p>Voilà un exemple de configuration générée par le site Mozilla indiqué ci-dessus:</p>
- <pre><code><VirtualHost *:443>
- ...
- SSLEngine on
- SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
- SSLCertificateKeyFile /path/to/private/key
- # Uncomment the following directive when using client certificate authentication
- #SSLCACertificateFile /path/to/ca_certs_for_client_authentication
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
- ...
- </VirtualHost>
- # modern configuration, tweak to your needs
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
- SSLHonorCipherOrder on
- SSLCompression off
- SSLSessionTickets off
- # OCSP Stapling, only in httpd 2.3.3 and later
- SSLUseStapling on
- SSLStaplingResponderTimeout 5
- SSLStaplingReturnResponderErrors off
- SSLStaplingCache shmcb:/var/run/ocsp(128000)
- </code></pre>
- <p>Il précise les protocoles recommandés ainsi que les méthodes de chiffrage actuellement sûres.</p>
- <h2 id="la-configuration-des-en-tetes">La configuration des en-têtes</h2>
- <p>Les entêtes sont envoyés aux clients, et ils sont libres de les respecter ou non ...
- On peut utiliser la page de test suivante pour configurer les entêtes renvoyés avec chaque page web: https://observatory.mozilla.org/analyze/www.yojik.net par exemple pour analyser le site www.yojik.net.</p>
- <p>Voilà un exemple de résultats, avec certains entêtes configurés et d'autres non; la note globale n'est pas bonne, et il faudra améliorer la configuration.</p>
-
- </div>
- </div>
- <footer>
-
- <hr/>
- <div role="contentinfo">
- <!-- Copyright etc -->
-
- </div>
- Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
- </footer>
-
- </div>
- </div>
- </section>
- </div>
- <div class="rst-versions" role="note" aria-label="versions">
- <span class="rst-current-version" data-toggle="rst-current-version">
-
-
-
- </span>
- </div>
- <script>var base_url = '../../..';</script>
- <script src="../../../js/theme.js" defer></script>
- <script src="../../../search/main.js" defer></script>
- <script defer>
- window.onload = function () {
- SphinxRtdTheme.Navigation.enable(true);
- };
- </script>
- </body>
- </html>
|
