The Internet Society's Open Standards Everywhere Project

This repository contains documentation for the Internet Society's 2020 Open Standards Everywhere project with the goal of helping people create more secure web servers using the latest open standards.

Documentation

The following documents were created as part of the project. The documentation has been developed and verified on our reference servers running Debian 10.2 and either Apache 2.4.38 or NGINX 1.14.2. We use certbot 0.31.0 for Let's Encrypt certificates.

Introduction

• How to install an Apache web server as part of a LAMP stack
• How to install a NGINX web server as part of a LEMP stack

IPv6

• How to configure IPv6 on your apache web server
• How to configure IPv6 on your NGINX web server
• How to configure IPv6 on your web server with a CDN

DNSSEC

• How to configure DNSSEC for your apache or NGINX web server

TLS 1.3 using Let's Encrypt

• How to configure TLS 1.3 on your apache web server
• How to configure TLS 1.3 on your NGINX web server

TLS - How to disable TLS 1.0 and 1.1

• How to disable TLS 1.0 and 1.1 on your apache web server
• How to disable TLS 1.0 and 1.1 on your NGINX web server
• How to disable TLS 1.0 and 1.1 on your web server with a CDN

TLS - HSTS

• How to configure HSTS on your apache web server
• How to configure HSTS on your NGINX web server
• How to configure HSTS on your web server with a CDN

TLS - Cipher Order

• How to configure TLS cipher order on your apache web server
• How to configure TLS cipher order on your NGINX web server

TLS - HTTP security headers

• How to configure HTTP security headers on your apache web server
• How to configure HTTP security headers on your NGINX web server

HTTP/2

• How to configure HTTP/2 on your apache web server
• How to configure HTTP/2 on your NGINX web server
• How to configure HTTP/2 on your web server with a CDN

Servers

For the 2020 Open Standards Everywhere (OSE) project, we built four reference servers so that you could use them for tests to see what "good" looks like:

• https://ose-apache.internetsociety.org/
• https://ose-apache-cdn.internetsociety.org/
• https://ose-nginx.internetsociety.org/
• https://ose-nginx-cdn.internetsociety.org/

All of these servers are being configured to achieve 100% on the Internet.nl website test suite and to pass the http2.pro HTTP/2 test.

Two of the servers are set up as "regular" web servers running in virtual machines. Two of the servers are set up behind a content delivery network (CDN).

Providing feedback

If you find any errors in the documentation, or have additional suggestions, please open a new issue here on GitHub so that we can respond. If you do not use GitHub and do not wish to create a free GitHub account, you can email project lead Dan York.

Questions?

If you have questions about this project, please contact project lead Dan York, either here on Github (@danyork) or at [email protected]