In this tutorial we’ll do config in cwp so we can get SSL A+ Score Rating in SSLLabs – Qualys. Upon many request by the visitors and members I’m posting this easy tutorial. This guide will help you to achieve A+ ssl rating in ssl labs Qualys so you’ll get high-level of ssl security, as well as enhance the security of your IT/eCommerce business and building customer confidence and loyalty.
I’ve an article here for Webserver basis config https://www.uxlinux.com/how-to-get-a-score-rating-in-ssllabs-qualys/ since CWP is different and works with template many users are trouble achieve this score, below are the steps mentioned which you need to follow one by one
Ensure you logged in as root in ssh/terminal
FOR NGINX (proxy/main/fpm) :
Step 1 :
Download this template to your server :
cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts wget --no-cache https://www.uxlinux.com/upload/nginx-Aplus.zip unzip -o nginx-Aplus.zip rm -rf nginx-Aplus.zip
Step 2 :
Change the ssl protocol to only use TLS 1.2 :
sed -r -i 's/\b(TLSv1 |TLSv1.1 )\b//g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/vhosts/*.conf /usr/local/cwpsrv/htdocs/resources/conf/web_servers/main/nginx/conf/nginx.conf
***When you rebuild webserver or vhost from CWP ensure you run this command again.
After running the above command lock this files if you don’t change nginx main config and Hostname of the server :
chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf
If you want to change nginx main conf or change the server hostname just unlock this files and then rebuild webserver config or vhost :
chattr -i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf
***after edit and webserver rebuild or vhost rebuild just lock the files again.
Step 3 :
Apply the templates new templates will appear as “-Aplus” word added.
***Remember if you choose any other template for the domain with tls 1 and tls 1.1 protocol active then A + score will downgrade to lower score hence it is recommended to use the A+ templates for all of your domain and SANs.
CLICK here to view Full size : Image
If you’ve per “webserver domain config” enabled for per user domain then you need to choose this templates there too.
For APACHE only webserver (php-cgi/fpm/proxy) follow this guide for apache :
ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :
<ifmodule !ssl_module=""> LoadModule ssl_module modules/mod_ssl.so </ifmodule> Listen 443 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
** tally the changes basically you only need to edit “SSLProtocol” and “SSLCipherSuite
and restart apache :
systemctl restart httpd
now add HSTS header in domain .htaccess :
Header always set Strict-Transport-Security "max-age=31536000"
Extra work :
you need to also add Certification Authority Authorization (CAA) dns record for more security read here LINK
Like you can add CAA dns who you want to give permission to issue certs :
mysterydata.com. 300 IN CAA 0 issue "digicert.com" mysterydata.com. 300 IN CAA 0 issuewild "digicert.com"
mysterydata.com. 300 IN CAA 0 issuewild "letsencrypt.org" mysterydata.com. 300 IN CAA 0 issue "letsencrypt.org"
mysterydata.com. 300 IN CAA 0 issuewild "comodoca.com" mysterydata.com. 300 IN CAA 0 issue "comodoca.com"
mysterydata.com. 300 IN CAA 0 issuewild "globalsign.com" mysterydata.com. 300 IN CAA 0 issue "globalsign.com"