Java in cloud

The default Arch Linux Apache "out of the box" scored A: After simply following recommendation from httpd-ssl.conf file: #  By the end of 2016, only TLSv1.2 ciphers should remain in use. #  Older ciphers should be disallowed as soon as possible, while the #  kRSA ciphers do not offer forward secrecy.  These changes inhibit #  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy #  non-browser tooling) from successfully connecting. # #  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable #  those protocols which do not support forward secrecy, replace #  the SSLCipherSuite and SSLProxyCipherSuite directives above with #  the following two directives, as soon as practical. SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA It turned to be... still A: So how to get it to A+? Simply enable HSTS by adding this simple line to virtual SSL host definition (note, headers module must be enabled): He

First we need apache and let's encrypt client: pacman -S certbot As Apache is running on port 80, and we do not want any interruption to the service, we will use "webroot" plugin. Assuming our domain is www.bogus.com, the request will look like this: certbot certonly --email p******t@gmail.com --webroot -w /srv/http/ -d www.secure.com  - Your account credentials have been saved in your Certbot    configuration directory at /etc/letsencrypt. You should make a    secure backup of this folder now. This configuration directory will    also contain certificates and private keys obtained by Certbot so    making regular backups of this folder is ideal. Note: you do not need to enter e-mail address again. IMPORTANT NOTES:  - Congratulations! Your certificate and chain have been saved at    /etc/letsencrypt/live/flex.prkp.eu/fullchain.pem. Your cert will    expire on 2016-12-13. To obtain a new or tweaked version of this    certificate in the future,