X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/d7897a0aa9147b2cea021cf478461ae9df12277c..6fcd4c022d8ae2b5f60b25f43acb393805c0cd0b:/cookbooks/apache/templates/default/ssl.erb?ds=sidebyside

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 8035d4289..ccfef6048 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -1,8 +1,20 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
+SSLProtocol All -SSLv2 -SSLv3
+
 SSLHonorCipherOrder On
-SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
+SSLCipherSuite <%= node[:ssl][:openssl_ciphers] %>
+
+SSLUseStapling On
+SSLStaplingResponderTimeout 5
+SSLStaplingErrorCacheTimeout 60
+SSLStaplingReturnResponderErrors off
+SSLStaplingFakeTryLater off
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 
-SSLCertificateFile /etc/ssl/certs/<%= @certiifcate %>.pem
-SSLCertificateKeyFile /etc/ssl/private/<%= @certiifcate %>.key
-SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
+Header always set Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" "expr=%{HTTPS} == 'on'"
+<% if node[:ssl][:ct_report_uri] -%>
+Header always set Expect-CT "max-age=0, report-uri=\"<%= node[:ssl][:ct_report_uri] %>\"" "expr=%{HTTPS} == 'on'"
+<% else -%>
+Header always set Expect-CT "max-age=0" "expr=%{HTTPS} == 'on'"
+<% end -%>