From 749660e45cd94064c994a9a4f0ae5dc733f5e4d9 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Tue, 26 Jan 2021 05:20:48 -0600
Subject: [PATCH] Make Apache configuration more secure, add SSL cache

---
 inventory/group_vars/all.yml | 2 +-
 playbooks/vars/apache.yml    | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 779226e..9788fd2 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -41,7 +41,7 @@ zerotier_network_id: !vault |
 
 # For geerlingguy.apache
 apache_remove_default_vhost: yes
-apache_ssl_cipher_suite: AES256+EECDH:AES256+EDH
+apache_ssl_cipher_suite: "ECDH:AECDH:!SHA1:!SHA256:!SHA384"
 apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
 # For geerlingguy.php
diff --git a/playbooks/vars/apache.yml b/playbooks/vars/apache.yml
index ed0822b..97a618b 100644
--- a/playbooks/vars/apache.yml
+++ b/playbooks/vars/apache.yml
@@ -9,6 +9,7 @@ apache_mods_enabled:
   - proxy_fcgi.load
   - proxy_http.load
   - rewrite.load
+  - socache_shmcb.load
   - ssl.load
 apache_mods_disabled:
   - mpm_event.load
@@ -17,6 +18,8 @@ apache_mods_disabled:
 apache_global_vhost_settings: |
   DirectoryIndex index.php index.html
   Protocols h2 http/1.1
+  SSLSessionCache shmcb:/run/apache2/socache
+  SSLSessionCacheTimeout 300
   <FilesMatch \.php$>
   SetHandler "proxy:fcgi://127.0.0.1:9000"
   </FilesMatch>