Installing a Webserver

What should and shouldn't you do with a Webserver?

DO'S

Start with a clean installation of your server and install the updates.

1. Make a backup.
2. Keep a log of changes after the backup.
3. Back to 1. etc...

Tip: Always make changes one at a time and check after each change whether everything is working correctly.

DON'TS

• Making too many changes at once: (Read: more than 1). This way you won't be able to figure out which change caused a problem if something goes wrong.
• Skipping steps: Sometimes things need to change in an exact order. If you deviate from this, it won't work properly, will fail, or worse.
• Making changes that cause your website or webserver to become unreachable: Not convenient, but you might learn something from it.

Good luck!!

And one more thing: TLS Security

Use only TLSv1.2 and TLSv1.3

TLSv1.2 has existed since 2008 and all browsers after 2012 support it. TLSv1.3 is the latest version and is supported by Mozilla Firefox and Google Chrome.

Cipher Suites

For TLSv1.2

In Apache:

• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-CHACHA20-POLY1305
• ECDHE-RSA-AES256-SHA

In IIS 10:

• TLS_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

For TLSv1.3 in Apache

Edit your openssl config:

nano /etc/openssl/openssl.conf

Add at the bottom:

Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Note: This is not according to the manual RFC 8446 Section 9.1: "A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 cipher suite"

The fact is that the TLS_AES_128_GCM_SHA256 cipher suite is not required for TLS handshakes. By no longer requiring this for RFC 8446 Section 9.1, TLSv1.3 can also meet the requirement of AES256 encryption.