Still trying to recover from the conference last weekend.
OpenEMR was out in force at the conference and we had some interesting discussions about the best way to make php applications more secure. The following code is in php but the theory applies to any electronic health record. The wonderful thing about this method is that Apache does all of the heavy lifting for you.
Of course, none of this works without an apache configuration!!
# another fine way to enforce https only.
ServerName example.com:80
AddType application/x-httpd-php .php .phtml .php3
DocumentRoot "/var/www/html/example/"
#The following rewrite just forces everything to https!!!
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ServerName example.com:443
DocumentRoot /var/www/html/example
# Standard stuff
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# end standard stuff
# the certificate that CACert.org has signed...
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
# my super secret private key
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
# not that I can use the directory command to protect a single file!!
# requries a client certificate
SSLVerifyClient require
SSLVerifyDepth 2
# in order to validate the client certificates I need to have
# a copy of the CAcert.org root certificate
SSLCACertificateFile /etc/pki/tls/certs/cacert.crt
SSLOptions +StdEnvVars
1,9 Top
Much props to Fred for running the foss Houston event. Where can we find the videos?