| 1 | <IfDefine SSL> |
1 | <IfDefine SSL> |
| 2 | <IfDefine SSL_DEFAULT_VHOST> |
|
|
| 3 | <IfModule ssl_module> |
|
|
| 4 | |
2 | |
|
|
3 | # We now wrap the entire default vhost in a seperate IfDefine to fix bug |
|
|
4 | # 100624. If you are using this default vhost, add it to /etc/conf.d/apache2 |
|
|
5 | <IfDefine SSL_DEFAULT_VHOST> |
|
|
6 | |
|
|
7 | <IfModule mod_ssl.c> |
| 5 | ## |
8 | ## |
| 6 | ## SSL Virtual Host Context |
9 | ## SSL Virtual Host Context |
| 7 | ## |
10 | ## |
| 8 | |
11 | |
| 9 | <VirtualHost _default_:443> |
12 | <VirtualHost _default_:443> |
| 10 | |
13 | |
| 11 | # General setup for the virtual host |
14 | # General setup for the virtual host |
| 12 | DocumentRoot "/var/www/localhost/htdocs" |
15 | DocumentRoot "/var/www/localhost/htdocs" |
| 13 | ServerName localhost:443 |
16 | ServerName localhost:443 |
| 14 | ServerAdmin root@localhost |
17 | ServerAdmin root@localhost |
| 15 | ErrorLog /var/log/apache2/ssl_error_log |
18 | ErrorLog logs/ssl_error_log |
| 16 | |
|
|
| 17 | <IfModule log_config_module> |
19 | <IfModule mod_log_config.c> |
| 18 | TransferLog /var/log/apache2/ssl_access_log |
20 | TransferLog logs/ssl_access_log |
| 19 | </IfModule> |
21 | </IfModule> |
| 20 | |
22 | |
| 21 | # SSL Engine Switch: |
23 | # SSL Engine Switch: |
| 22 | # Enable/Disable SSL for this virtual host. |
24 | # Enable/Disable SSL for this virtual host. |
| 23 | SSLEngine on |
25 | SSLEngine on |
| … | |
… | |
| 28 | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
30 | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
| 29 | |
31 | |
| 30 | # Server Certificate: |
32 | # Server Certificate: |
| 31 | # Point SSLCertificateFile at a PEM encoded certificate. If |
33 | # Point SSLCertificateFile at a PEM encoded certificate. If |
| 32 | # the certificate is encrypted, then you will be prompted for a |
34 | # the certificate is encrypted, then you will be prompted for a |
| 33 | # pass phrase. Note that a kill -HUP will prompt again. Keep |
35 | # pass phrase. Note that a kill -HUP will prompt again. A test |
| 34 | # in mind that if you have both an RSA and a DSA certificate you |
36 | # certificate can be generated with `make certificate' under |
|
|
37 | # built time. Keep in mind that if you've both a RSA and a DSA |
| 35 | # can configure both in parallel (to also allow the use of DSA |
38 | # certificate you can configure both in parallel (to also allow |
| 36 | # ciphers, etc.) |
39 | # the use of DSA ciphers, etc.) |
| 37 | SSLCertificateFile /etc/apache2/ssl/server.crt |
40 | SSLCertificateFile /etc/apache2/ssl/server.crt |
| 38 | #SSLCertificateFile /etc/apache2/ssl/server-dsa.crt |
|
|
| 39 | |
41 | |
| 40 | # Server Private Key: |
42 | # Server Private Key: |
| 41 | # If the key is not combined with the certificate, use this |
43 | # If the key is not combined with the certificate, use this |
| 42 | # directive to point at the key file. Keep in mind that if |
44 | # directive to point at the key file. Keep in mind that if |
| 43 | # you've both a RSA and a DSA private key you can configure |
45 | # you've both a RSA and a DSA private key you can configure |
| 44 | # both in parallel (to also allow the use of DSA ciphers, etc.) |
46 | # both in parallel (to also allow the use of DSA ciphers, etc.) |
|
|
47 | |
| 45 | SSLCertificateKeyFile /etc/apache2/ssl/server.key |
48 | SSLCertificateKeyFile /etc/apache2/ssl/server.key |
| 46 | #SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key |
|
|
| 47 | |
49 | |
| 48 | # Server Certificate Chain: |
50 | # Server Certificate Chain: |
| 49 | # Point SSLCertificateChainFile at a file containing the |
51 | # Point SSLCertificateChainFile at a file containing the |
| 50 | # concatenation of PEM encoded CA certificates which form the |
52 | # concatenation of PEM encoded CA certificates which form the |
| 51 | # certificate chain for the server certificate. Alternatively |
53 | # certificate chain for the server certificate. Alternatively |
| 52 | # the referenced file can be the same as SSLCertificateFile |
54 | # the referenced file can be the same as SSLCertificateFile |
| 53 | # when the CA certificates are directly appended to the server |
55 | # when the CA certificates are directly appended to the server |
| 54 | # certificate for convinience. |
56 | # certificate for convinience. |
| 55 | #SSLCertificateChainFile /etc/apache2/ssl/ca.crt |
57 | #SSLCertificateChainFile conf/ssl/ca.crt |
| 56 | |
58 | |
| 57 | # Certificate Authority (CA): |
59 | # Certificate Authority (CA): |
| 58 | # Set the CA certificate verification path where to find CA |
60 | # Set the CA certificate verification path where to find CA |
| 59 | # certificates for client authentication or alternatively one |
61 | # certificates for client authentication or alternatively one |
| 60 | # huge file containing all of them (file must be PEM encoded) |
62 | # huge file containing all of them (file must be PEM encoded) |
| 61 | # Note: Inside SSLCACertificatePath you need hash symlinks |
63 | # Note: Inside SSLCACertificatePath you need hash symlinks |
| 62 | # to point to the certificate files. Use the provided |
64 | # to point to the certificate files. Use the provided |
| 63 | # Makefile to update the hash symlinks after changes. |
65 | # Makefile to update the hash symlinks after changes. |
| 64 | #SSLCACertificatePath /etc/apache2/ssl/ssl.crt |
66 | #SSLCACertificatePath conf/ssl/ssl.crt |
| 65 | #SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt |
67 | #SSLCACertificateFile conf/ssl/ca-bundle.crt |
| 66 | |
68 | |
| 67 | # Certificate Revocation Lists (CRL): |
69 | # Certificate Revocation Lists (CRL): |
| 68 | # Set the CA revocation path where to find CA CRLs for client |
70 | # Set the CA revocation path where to find CA CRLs for client |
| 69 | # authentication or alternatively one huge file containing all |
71 | # authentication or alternatively one huge file containing all |
| 70 | # of them (file must be PEM encoded) |
72 | # of them (file must be PEM encoded) |
| 71 | # Note: Inside SSLCARevocationPath you need hash symlinks |
73 | # Note: Inside SSLCARevocationPath you need hash symlinks |
| 72 | # to point to the certificate files. Use the provided |
74 | # to point to the certificate files. Use the provided |
| 73 | # Makefile to update the hash symlinks after changes. |
75 | # Makefile to update the hash symlinks after changes. |
| 74 | #SSLCARevocationPath /etc/apache2/ssl/ssl.crl |
76 | #SSLCARevocationPath conf/ssl/ssl.crl |
| 75 | #SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl |
77 | #SSLCARevocationFile conf/ssl/ca-bundle.crl |
| 76 | |
78 | |
| 77 | # Client Authentication (Type): |
79 | # Client Authentication (Type): |
| 78 | # Client certificate verification type and depth. Types are |
80 | # Client certificate verification type and depth. Types are |
| 79 | # none, optional, require and optional_no_ca. Depth is a |
81 | # none, optional, require and optional_no_ca. Depth is a |
| 80 | # number which specifies how deeply to verify the certificate |
82 | # number which specifies how deeply to verify the certificate |
| … | |
… | |
| 115 | # This exports the standard SSL/TLS related `SSL_*' environment variables. |
117 | # This exports the standard SSL/TLS related `SSL_*' environment variables. |
| 116 | # Per default this exportation is switched off for performance reasons, |
118 | # Per default this exportation is switched off for performance reasons, |
| 117 | # because the extraction step is an expensive operation and is usually |
119 | # because the extraction step is an expensive operation and is usually |
| 118 | # useless for serving static content. So one usually enables the |
120 | # useless for serving static content. So one usually enables the |
| 119 | # exportation for CGI and SSI requests only. |
121 | # exportation for CGI and SSI requests only. |
|
|
122 | # o CompatEnvVars: |
|
|
123 | # This exports obsolete environment variables for backward compatibility |
|
|
124 | # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this |
|
|
125 | # to provide compatibility to existing CGI scripts. |
| 120 | # o StrictRequire: |
126 | # o StrictRequire: |
| 121 | # This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
127 | # This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
| 122 | # under a "Satisfy any" situation, i.e. when it applies access is denied |
128 | # under a "Satisfy any" situation, i.e. when it applies access is denied |
| 123 | # and no other module can change it. |
129 | # and no other module can change it. |
| 124 | # o OptRenegotiate: |
130 | # o OptRenegotiate: |
| 125 | # This enables optimized SSL connection renegotiation handling when SSL |
131 | # This enables optimized SSL connection renegotiation handling when SSL |
| 126 | # directives are used in per-directory context. |
132 | # directives are used in per-directory context. |
| 127 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
133 | #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire |
|
|
134 | |
| 128 | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
135 | <Files ~ "\.(cgi|shtml|phtml|php?)$"> |
| 129 | SSLOptions +StdEnvVars |
136 | SSLOptions +StdEnvVars |
| 130 | </FilesMatch> |
137 | </Files> |
|
|
138 | |
| 131 | <Directory "/var/www/localhost/cgi-bin"> |
139 | <Directory "/var/www/localhost/cgi-bin"> |
| 132 | SSLOptions +StdEnvVars |
140 | SSLOptions +StdEnvVars |
| 133 | </Directory> |
141 | </Directory> |
| 134 | |
142 | |
| 135 | # SSL Protocol Adjustments: |
143 | # SSL Protocol Adjustments: |
| … | |
… | |
| 154 | # keep-alive facility, so you usually additionally want to disable |
162 | # keep-alive facility, so you usually additionally want to disable |
| 155 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. |
163 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. |
| 156 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround |
164 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround |
| 157 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
165 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
| 158 | # "force-response-1.0" for this. |
166 | # "force-response-1.0" for this. |
| 159 | <IfModule setenvif_module> |
167 | <IfModule mod_setenvif.c> |
| 160 | BrowserMatch ".*MSIE.*" \ |
168 | SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ |
| 161 | nokeepalive ssl-unclean-shutdown \ |
|
|
| 162 | downgrade-1.0 force-response-1.0 |
169 | downgrade-1.0 force-response-1.0 |
| 163 | </IfModule> |
170 | </IfModule> |
| 164 | |
171 | |
| 165 | # Per-Server Logging: |
172 | # Per-Server Logging: |
| 166 | # The home of a custom SSL log file. Use this when you want a |
173 | # The home of a custom SSL log file. Use this when you want a |
| 167 | # compact non-error SSL logfile on a virtual host basis. |
174 | # compact non-error SSL logfile on a virtual host basis. |
| 168 | <IfModule log_config_module> |
175 | <IfModule mod_log_config.c> |
| 169 | CustomLog /var/log/apache2/ssl_request_log \ |
176 | CustomLog logs/ssl_request_log \ |
| 170 | "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
177 | "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
| 171 | </IfModule> |
178 | </IfModule> |
| 172 | |
179 | |
| 173 | </VirtualHost> |
180 | <IfModule mod_rewrite.c> |
|
|
181 | RewriteEngine On |
|
|
182 | RewriteOptions inherit |
|
|
183 | </IfModule> |
| 174 | |
184 | |
|
|
185 | </VirtualHost> |
| 175 | |
186 | |
| 176 | </IfModule> |
187 | </IfModule> |
|
|
188 | |
|
|
189 | </IfDefine> |
| 177 | </IfDefine> |
190 | </IfDefine> |
| 178 | </IfDefine> |
|
|
Parent Directory
| 
Revision Log
| 
Patch