ssl configuration for apache 2.4 on centos 7 with let’s encrypt

In follow-up to previous posts I’ve had about SSL (specifically with Let’s Encrypt), here is the set of SSL configurations I use with all my sites. These, if used correctly, should score you an “A+” with no warnings from Note: I have an improved entropy package installed (twuewand). This is adapted from the Mozilla config generator with specific options added for individual sites and/or to match Let’s Encrypt’s recommendations.

Please note: you will need to modify the config files to represent your own domains, if you choose to use these as models.


#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom  1024
# requires twuewand to be installed
SSLRandomSeed startup exec:/bin/twuewand 64
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 1024
SSLCryptoDevice builtin
# the SSLSessionTickets directive should work - but on Apache 2.4.6-45, it does not
#SSLSessionTickets       off
SSLCompression          off
SSLHonorCipherOrder	on
# there may be an unusual use case for enabling TLS v1.1 or 1 - but I don't know what that would be
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLOptions +StrictRequire
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

#all unknown requests get domain.tld (over http)
<VirtualHost *:80>
    DocumentRoot /var/html
    ServerName domain.tld
    ServerAlias domain.tld *.domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log combined
    ServerAdmin user@domain.tld
    <Directory "/var/html">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all

SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css text/php


<Virtualhost *:80>
    ServerName domain.tld
# could use * instead of www if you don't use subdomains for anything special/separate
    ServerAlias domain.tld www.domain.tld
    Redirect permanent / https://domain.tld/

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
# if you put "fullchain.pem" here, you will get an error from ssllabs
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

# could put this in defaults.conf - I prefer it in each site config
    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all


I use the z....conf formatting to ensure all site-specific configs are loaded after everything else. That conveniently breaks every site into its own config file, too.

The config file for a non-https site is much simpler:

<VirtualHost *:80>
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ServerAlias domain.tld *.domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log combined
    ServerAdmin user@domain.tld
    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all

If you’re running something like Nextcloud, you may want to turn on Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" in the <VirtualHost&gt directive for the site. I haven’t decided yet if I should put this in every SSL-enabled site’s configs or not.

raas – the failure of “-as-a-service” in the physical world

Roads are empty something like 90% of the time.

8% of the time, they’re rightly-sized. 1.5% of time, they’re a little tight

1.5% of time, they’re a little tight.But that .5%? Holy CRAP

But that .5%? Holy CRAP are they ever too small when they’re too small.

Imagine if the “*-as-a-Service” model could be applied to roads: expand their capacity on-demand as use requires. It works for businesses expanding and contracting their technical needs (a la cloud computing).

It [could] work for getting fancy dentures when you need them.

I guess this is what flying cars are supposed to alleviate – but with ~220,000,000 registered drivers in the US, imagine even 0.1% of them driving flying cars. That’d be 220,000 flying cars. If even 1% of them decided to utilize the “flight” aspect at any given time, that’d be 2200 vehicles in the air. 2200 vehicles with no flight plans. 2200 vehicles in an unknown state of fueling, repair, etc. Air travel is currently the safest form of transport. Would that still be true with 2200 angry drivers trying to escape from the traffic they find themselves in at the same time? Especially given the non-uniform distribution of those vehicles (they’ll dominantly simultaneously appear in ultra-densely-populated areas and ultra-rural ones), this wouldn’t be the utopia of George Jetson. It’s be the insanity of Back to the Future Part II when the Delorean arrives in 2015 from 1985. But worse.

My best professor once said, “no one has gotten elected saying they want to eliminate roads”. But followed that up with, “every time roads are expanded, they get just as busy during busy times, and waste an awful lot of concrete the other 23.2 hours of the day”.

What we need is a way to carry-over the technological paradigm of “*-as-a-Service” into physical infrastructure. Because it sucks. Bad.

I don’t know best to approach that. Certainly the “sharing economy” models of Uber & Lyft are a component.

And self-driving cars will help.

But only when they’re not only “self-driving”, but when they’re actively communicating and optimizing with other vehicles. But what happens when you are “optimized” into a “slower” path because other vehicles were “optimized” into “faster” ones?

It’s certainly a thorny area of societal thinking to wade into. And one that needs lot of thoughtful input and consideration from many quarters.

the jetsons used cash

They had flying cars. That would fold-up into a briefcase.

They had magic bubbles that’d pop out from their fingers to shroud themselves on their floaty-seats that delivered them to school or the mall.

But they used cash. Really? With all the crazy futuristic stuff they tried to wedge into that program, the creators thought we’d still be using cash in a flying-car future?

Maybe they were onto something. Cash does have the value of being tangible, and not being tracked.

what is happening with news publishers?

I think, closer to the lines of thought that Ben Thompson of Stratechery has laid-out, that news publishing is about to undergo a major nichification – the days of everyone trying to report everything is over.

“Local” (whether by geography, interest, or some other grouping mechanism) publishing in narrowly-defined niches is basically going to finish gobbling the Old Line news publishers in the next 3-5 years. And I see automated “curation” (though, if it’s automated, it’s technically not “curating”) as a clever way to cross-cut unforeseen niches from other niches (and from the handful of “major” publishers that will refuse to die – even through they’re going to dramatically shrink very soon) – think applying pivot table data anaysis concept to news and publishing, rather than mere data.

Jean-Louis Gassée wrote in February the following about Facebook, & Google, about news publishers: “If they are really willing to contribute to a sustainable news ecosystem, as they claim, both should allow publishers to sell subscriptions on their platforms (while collecting a fee, obviously).” 

And that’s certainly an interesting idea – but one that I think will only last, if it even comes to fruition, for a very short period of time. It’s the Napster of news publishing.

I see news publishing undergoing the same sea change the music industry did starting in the late 90s with the rise of #Napster. Until Napster came along, if you wanted to listen to a specific song, you had to either a) wait for it to be on the radio, b) get the vinyl/tape/CD, c) get a friend to record it for you from the radio or some media they had. Then Napster and its ilk came along with peer-to-peer file-sharing, crazy lawsuits from the #RIAA, and services like #Apple’s #iTunes charging a mere $0.99 per track (and $9.99 per digital album) made file-sharing (which became a major attack vector for malware)

Then Napster and its ilk came along with peer-to-peer file-sharing, crazy lawsuits from the #RIAA, and services like #Apple’s #iTunes charging a mere $0.99 per track (and $9.99 per digital album) made file-sharing (which became a major attack vector for malware) far far less interesting: why spend hours searching for and downloading songs (which might be lousy quality, not the “real” song, etc) when you could just go to iTunes and get what you want in a couple minutes for 99¢?

Then came Pandora. And Spotify. And probably all kinds of other services I don’t know anything about. Why? Because people wanted what they wanted when they wanted it.

The same is true for “news”. How much of an average newspaper issue does the historically-average newspaper reader actually read? 10%? 30%? 50%? I’d bet anything north of 20% is highly unlikely overall.

And what do you have to do to “read” the news in a newspaper? You need to skip past ads, you need to flip between pages (and sometimes sections), you need to physically get the paper. And on and on. Paginated websites (like diply, just to name one) try to replicate the newspaper feel (flipping pages, skipping ads, not being able to see everything until you get to the end, etc) in a move to make money by selling ads and forcing eyeballs to look at them. (To combat that, folks like me run tools like pihole and ublock origin.)

Nichifying news is going to be a huge thing very soon: somewhat akin to the idea of targeted newsletters, but for “real” news, and not just something related to a website.


Last week, for the better part of 4.5 days, this site was offline.

Along with, of course, every other domain hosted hereon .

Here’s the timeline of my actions

  • Tuesday, reboot to update kernel revs
    • system did not come back online
  • over the next several days, tried all kinds of diagnostic attempts, including
    • verified host was pingable, tracerouteable, etc
    • rescue environments to chroot and remove out of date packages, update boot menus, etc
    • remote KVM (which is Java based, and wouldn’t run on my macOS Sierra machine with Java 8 U121)
  • late Friday (or maybe it was Saturday), received a cron-generated email – which meant the server was up
    • had a bolt of inspiration, and thought to check the firewall (but couldn’t for several hours for various reasons)
  • Saturday evening, using a rescue environment from my hosting provider, chroot’ed into my server, and reset firewalld
    • reboot, and bingo bango! server was back

So. What happened? Short version, something enabled firewalld, and setup basic rules to block everything. And I do mean everything – ssh, http, smtp, etc etc.

Not sure exactly how the firewall rules got mucked-up, but that was the fix.



“Ladies and Gentlemen. Boys and Girls. Children of ALL ages. Ringling Brothers and Barnum and Bailey’s Circus is proud to present … GUNTHER .. GABLE .. WILLIAMS!!!”

Is about all I recall in vivid detail from when I went to see the RB&B&B circus as a kid with my parents, aunt, and friends. (And, as a sidebar, gave me the idea to be a host of something “cool” someday.”)

Saturday, my wife and I are taking our three to see Ringling Brothers on their farewell tour.

It’s exciting that I get to take my kids to see it.

But incredibly sad they won’t get to go again.