64803503 |
1 | <IfModule mod_ssl.c> |
2 | <VirtualHost _default_:443> |
3 | ServerAdmin webmaster@localhost |
4 | |
5 | DocumentRoot /var/www/ |
6 | <Directory /> |
7 | Options FollowSymLinks |
8 | AllowOverride None |
9 | </Directory> |
10 | <Directory /var/www/> |
11 | Options Indexes FollowSymLinks MultiViews |
12 | AllowOverride None |
13 | Order allow,deny |
14 | allow from all |
15 | </Directory> |
16 | |
17 | ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ |
18 | <Directory "/usr/lib/cgi-bin"> |
19 | AllowOverride None |
20 | Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch |
21 | Order allow,deny |
22 | Allow from all |
23 | </Directory> |
24 | |
25 | ErrorLog /var/log/apache2/error.log |
26 | |
27 | # Possible values include: debug, info, notice, warn, error, crit, |
28 | # alert, emerg. |
29 | LogLevel warn |
30 | |
31 | CustomLog /var/log/apache2/ssl_access.log combined |
32 | |
33 | Alias /doc/ "/usr/share/doc/" |
34 | <Directory "/usr/share/doc/"> |
35 | Options Indexes MultiViews FollowSymLinks |
36 | AllowOverride None |
37 | Order deny,allow |
38 | Deny from all |
39 | Allow from 127.0.0.0/255.0.0.0 ::1/128 |
40 | </Directory> |
41 | |
42 | # SSL Engine Switch: |
43 | # Enable/Disable SSL for this virtual host. |
44 | SSLEngine on |
45 | |
46 | # A self-signed (snakeoil) certificate can be created by installing |
47 | # the ssl-cert package. See |
48 | # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. |
49 | # If both key and certificate are stored in the same file, only the |
50 | # SSLCertificateFile directive is needed. |
51 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
52 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
53 | |
54 | # Server Certificate Chain: |
55 | # Point SSLCertificateChainFile at a file containing the |
56 | # concatenation of PEM encoded CA certificates which form the |
57 | # certificate chain for the server certificate. Alternatively |
58 | # the referenced file can be the same as SSLCertificateFile |
59 | # when the CA certificates are directly appended to the server |
60 | # certificate for convinience. |
61 | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt |
62 | |
63 | # Certificate Authority (CA): |
64 | # Set the CA certificate verification path where to find CA |
65 | # certificates for client authentication or alternatively one |
66 | # huge file containing all of them (file must be PEM encoded) |
67 | # Note: Inside SSLCACertificatePath you need hash symlinks |
68 | # to point to the certificate files. Use the provided |
69 | # Makefile to update the hash symlinks after changes. |
70 | #SSLCACertificatePath /etc/ssl/certs/ |
71 | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt |
72 | |
73 | # Certificate Revocation Lists (CRL): |
74 | # Set the CA revocation path where to find CA CRLs for client |
75 | # authentication or alternatively one huge file containing all |
76 | # of them (file must be PEM encoded) |
77 | # Note: Inside SSLCARevocationPath you need hash symlinks |
78 | # to point to the certificate files. Use the provided |
79 | # Makefile to update the hash symlinks after changes. |
80 | #SSLCARevocationPath /etc/apache2/ssl.crl/ |
81 | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl |
82 | |
83 | # Client Authentication (Type): |
84 | # Client certificate verification type and depth. Types are |
85 | # none, optional, require and optional_no_ca. Depth is a |
86 | # number which specifies how deeply to verify the certificate |
87 | # issuer chain before deciding the certificate is not valid. |
88 | #SSLVerifyClient require |
89 | #SSLVerifyDepth 10 |
90 | |
91 | # Access Control: |
92 | # With SSLRequire you can do per-directory access control based |
93 | # on arbitrary complex boolean expressions containing server |
94 | # variable checks and other lookup directives. The syntax is a |
95 | # mixture between C and Perl. See the mod_ssl documentation |
96 | # for more details. |
97 | #<Location /> |
98 | #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
99 | # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
100 | # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
101 | # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
102 | # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
103 | # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
104 | #</Location> |
105 | |
106 | # SSL Engine Options: |
107 | # Set various options for the SSL engine. |
108 | # o FakeBasicAuth: |
109 | # Translate the client X.509 into a Basic Authorisation. This means that |
110 | # the standard Auth/DBMAuth methods can be used for access control. The |
111 | # user name is the `one line' version of the client's X.509 certificate. |
112 | # Note that no password is obtained from the user. Every entry in the user |
113 | # file needs this password: `xxj31ZMTZzkVA'. |
114 | # o ExportCertData: |
115 | # This exports two additional environment variables: SSL_CLIENT_CERT and |
116 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
117 | # server (always existing) and the client (only existing when client |
118 | # authentication is used). This can be used to import the certificates |
119 | # into CGI scripts. |
120 | # o StdEnvVars: |
121 | # This exports the standard SSL/TLS related `SSL_*' environment variables. |
122 | # Per default this exportation is switched off for performance reasons, |
123 | # because the extraction step is an expensive operation and is usually |
124 | # useless for serving static content. So one usually enables the |
125 | # exportation for CGI and SSI requests only. |
126 | # o StrictRequire: |
127 | # This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
128 | # under a "Satisfy any" situation, i.e. when it applies access is denied |
129 | # and no other module can change it. |
130 | # o OptRenegotiate: |
131 | # This enables optimized SSL connection renegotiation handling when SSL |
132 | # directives are used in per-directory context. |
133 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
134 | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
135 | SSLOptions +StdEnvVars |
136 | </FilesMatch> |
137 | <Directory /usr/lib/cgi-bin> |
138 | SSLOptions +StdEnvVars |
139 | </Directory> |
140 | |
141 | # SSL Protocol Adjustments: |
142 | # The safe and default but still SSL/TLS standard compliant shutdown |
143 | # approach is that mod_ssl sends the close notify alert but doesn't wait for |
144 | # the close notify alert from client. When you need a different shutdown |
145 | # approach you can use one of the following variables: |
146 | # o ssl-unclean-shutdown: |
147 | # This forces an unclean shutdown when the connection is closed, i.e. no |
148 | # SSL close notify alert is send or allowed to received. This violates |
149 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use |
150 | # this when you receive I/O errors because of the standard approach where |
151 | # mod_ssl sends the close notify alert. |
152 | # o ssl-accurate-shutdown: |
153 | # This forces an accurate shutdown when the connection is closed, i.e. a |
154 | # SSL close notify alert is send and mod_ssl waits for the close notify |
155 | # alert of the client. This is 100% SSL/TLS standard compliant, but in |
156 | # practice often causes hanging connections with brain-dead browsers. Use |
157 | # this only for browsers where you know that their SSL implementation |
158 | # works correctly. |
159 | # Notice: Most problems of broken clients are also related to the HTTP |
160 | # keep-alive facility, so you usually additionally want to disable |
161 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. |
162 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround |
163 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
164 | # "force-response-1.0" for this. |
165 | BrowserMatch ".*MSIE.*" \ |
166 | nokeepalive ssl-unclean-shutdown \ |
167 | downgrade-1.0 force-response-1.0 |
168 | |
169 | </VirtualHost> |
170 | </IfModule> |