I don't know about you guys but personally I avoid visiting non-https sites like the plague and I'm likely not the only one doing that.
A bonus effect of enabling https is improved ranking on popular search engines.
For configuration details, see Mozilla's excellent wiki entry on https://wiki.mozilla.org/Security/Server_Side_TLS. There's even a configuration generator for popular services on https://mozilla.github.io/server-side-t ... generator/. Here's an example for Apache2.
Code: Select all
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/forum.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/forum.example.com/privkey.pem
...
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
Code: Select all
# Usage: ansible-playbook this-playbook.yml
# ansible-playbook -e vhost overriden.example.com this-playbook.yml
- hosts: some-host-mananged-by-ansible.example.com
vars:
letsencrypt:
email: hostmaster@example.com
vhost: forum.example.com
tasks:
- name: Obtain TLS certificate for {{ vhost }}
command: letsencrypt certonly --agree-tos --email {{ letsencrypt.email }} --expand --keep-until-expiring --webroot -w /var/www/well-known -d {{ vhost }}
args:
creates: /etc/letsencrypt/live/{{ vhost }}/fullchain.pem
delegate_to: localhost
- name: Install TLS certificate (public key)
copy:
src: /etc/letsencrypt/live/{{ vhost }}/fullchain.pem
dest: /etc/ssl/{{ vhost }}.pem
mode: 0644
owner: root
group: root
- name: Install TLS certificate (private key)
copy:
src: /etc/letsencrypt/live/{{ vhost }}/privkey.pem
dest: /etc/ssl/private/{{ vhost }}.pem
mode: 0600
owner: root
group: root
Code: Select all
letsencrypt certonly --agree-tos --email hostmaster@example.com --expand --keep-until-expiring --webroot -w /var/www/well-known -d freecadweb.org -d www.freecadweb.org -d forum.freecadweb.org